Protect Your Secrets: Bruno Meets HashiCorp Vault

Written by Ganesh Patil | Aug 6, 2025

In today's interconnected world, applications rely heavily on sensitive data like API keys, database credentials, and access tokens. Managing these "secrets" securely is paramount, yet often overlooked. Storing them in environment variables or configuration files might seem convenient, but it introduces significant security risks and operational headaches.

Enter HashiCorp Vault and Bruno. In this blog post, we'll explore what HashiCorp Vault is, why you desperately need it, and how to seamlessly integrate it with your Bruno API client for a more secure and efficient development workflow.

What is HashiCorp Vault?

At its core, HashiCorp Vault is a sophisticated tool designed for securely accessing secrets. It's not just a storage solution; it's a comprehensive secret management system that handles the entire lifecycle of your sensitive data.

Think of Vault as:

A Centralized, Highly Secure Safe: Instead of scattering your database passwords or Stripe API keys across multiple servers and configuration files, Vault provides one secure, encrypted location to store them all.
An On-Demand Secret Dispenser: Applications don't need to know the actual secrets. They ask Vault for a secret when they need it, and Vault delivers it only if the application is authorized.
A Dynamic Credential Generator: For many systems (like databases, cloud providers), Vault can even create brand new, temporary credentials "on the fly" for your applications, automatically revoking them after a set time. This dramatically reduces the risk of long-lived, compromised credentials.

Getting Started with HashiCorp Vault (Dev Mode)

For development and testing, Vault offers a convenient "dev mode" that gets you up and running instantly.

Let’s dive in!

Please note: This mode is NOT for production use.

1. Install Vault

If you're on macOS using Homebrew:

brew tap hashicorp/tap
brew install hashicorp/tap/vault

For other operating systems, refer to the official Vault downloads page.

2. Run Vault in Development Mode

Open your terminal and execute:

vault server -dev

Important: Keep this terminal window open! This is your running Vault server. Note down the Root Token and the URL (which will be http://127.0.0.1:8200). You'll need these shortly. This development setup is not publicly available; it binds only to your local machine (`127.0.0.1`) and all data is lost when you close the server.

Integrating Vault with Bruno

Bruno makes integrating with Vault incredibly straightforward, allowing you to fetch your secrets directly into your API requests.

1. Configure Secret Manager in Bruno

Open Bruno.
Navigate to Preferences settings.
Go to the section Secret Manager.
Click on the "Add Secret Provider" and select Vault.

2. Fill in Vault Connection Details

This tells Bruno how to connect to your running Vault instance:

Name: Give this Vault connection a meaningful name (e.g., "Local Dev Vault").
Secret Manager: Select "Vault" from the dropdown.
URL: Enter the address of your dev server: http://127.0.0.1:8200
Namespace: For your dev server, leave this blank. (Namespaces are primarily for Vault Enterprise deployments).
Auth Method: Select Token.
Token: Paste the Root Token you noted from the vault server

Click "Test Provider" and "Add" to register this Vault configuration in Bruno.

3. Enable and Map Secrets at the Collection Level

Now, go to your Bruno Collection settings (usually by clicking on your collection name in the sidebar).

Go to the Secrets tab.
Check the "Enabled" checkbox to activate Vault integration for this collection.
In the "Name Path Secrets" section, you'll define which Vault secrets map to Bruno variables. For each secret you want to use:
- Variable Name: The name you'll use in your Bruno requests (e.g., stripeKey).
- Vault Path: The full path to your secret in Vault (e.g., secret/my-app/api-keys).
- Key in Secret: The specific key within that secret (e.g., stripe_secret_key).

Example mapping:

Variable Name	Vault Path	Key in Secret
`stripeKey`	`secret/my-app/api-keys`	`stripe_secret_key`
`googleKey`	`secret/my-app/api-keys`	`google_api_key`

Save your collection settings.

4. Fetch and Use Secrets in Your Requests

After saving, find a Fetch Secrets button. Click it to pull the latest values from Vault, and Bruno automatically fetches the secrets.

Now, in any request within that collection, you can use your defined variables. Secrets need to be prefixed with ⁣,$secrets followed by the secret name and then the key name, all separated by periods.

For example, if you need to pass your Stripe API key in a header:

Header Name: Authorization

Header Value: Bearer

When you send the request, Bruno will fetch the `stripe_secret_key` value from Vault via the `secret/my-app/api-keys` path and substitute it for `` before making the actual HTTP call!

Accessing Secrets Programmatically within Bruno (Scripts)

If you're using Bruno's scripting capabilities (e.g., pre-request scripts or post-response scripts), you can access these fetched secrets using the bru.getSecretVar() function:

const secretValue = bru.getSecretVar('<secret-name>.<key-name>');

console.log(`Secret fetched from Vault: ${secretValue}`);


// Example: accessing stripeKey

const myStripeSecret = bru.getSecretVar('stripeKey.stripe_secret_key');

console.log(`My Stripe Key: ${myStripeSecret}`);

Note: Ensure you use the Variable Name you defined in Bruno (e.g., `stripeKey`), not the full Vault path or key name. Bruno manages the mapping behind the scenes.

Conclusion

By integrating HashiCorp Vault with Bruno, you're not just moving your secrets; you're elevating your security posture and streamlining your development workflow. This setup ensures that sensitive data is handled securely, consistently, and with proper access controls, making your API testing and development more robust and less prone to security mishaps. Start securing your secrets today!

Learn more at docs.usebruno.com.

View full post