Vault Mounts Explained Simply | Generated by AI

Home 2026.01

I’ll explain HashiCorp Vault mounts, which are a fundamental concept for organizing secrets and authentication methods.

What is a Mount?

In Vault, a mount is like a filesystem mount point - it’s a path where you attach a secrets engine or authentication method. Think of it as plugging different modules into specific locations in Vault’s API path structure.

When you enable a secrets engine or auth method, you’re “mounting” it at a specific path. All operations for that engine then happen under that path.

Mount Structure

Vault’s path structure looks like:

<mount_path>/<operation>

For example:

What is sys/mount?

sys/mount is a special system backend path used to manage secrets engine mounts. It’s part of Vault’s system backend (paths starting with sys/) which handles Vault’s configuration and management.

Key operations:

List all mounts:

vault secrets list
# or via API
curl -H "X-Vault-Token: $TOKEN" $VAULT_ADDR/v1/sys/mounts

Enable a new secrets engine:

vault secrets enable -path=myapp kv
# or via API
curl -H "X-Vault-Token: $TOKEN" \
  -X POST \
  -d '{"type":"kv","options":{"version":"2"}}' \
  $VAULT_ADDR/v1/sys/mounts/myapp

Disable/unmount:

vault secrets disable myapp
# or via API
curl -H "X-Vault-Token: $TOKEN" \
  -X DELETE \
  $VAULT_ADDR/v1/sys/mounts/myapp

Types of Mounts

Secrets Engine Mounts (sys/mounts):

Auth Method Mounts (sys/auth):

Example

When you enable the AWS secrets engine:

vault secrets enable -path=aws aws

You’ve created a mount at aws/. Now you can:

Each secrets engine type has its own API endpoints and operations, but they all work through this mount system.

Does this help clarify how mounts work? Let me know if you’d like me to explain any specific aspect in more detail!

Back

anthropic/claude-4.5-sonnet

Donate