Welcome to the MCP Secret Wrapper documentation. This directory contains detailed guides for using different vaults to retrieve secrets dynamically for MCP servers.
Complete guide for integrating with AWS Secrets Manager, including authentication, configuration, and best practices.
Complete guide for integrating with GCP Secret Manager, including authentication, configuration, and best practices.
- Choose your vault provider from the list above
- Follow the specific documentation for your chosen vault
- Configure your MCP server to use the vault
- Test your setup with the provided examples
MCP Secret Wrapper supports multiple vault types through a plugin architecture. Each vault type has its own configuration requirements and authentication methods.
Secrets are referenced using vault-specific identifiers:
- AWS: ARN format (
arn:aws:secretsmanager:region:account:secret:name) - GCP: Resource name format (
projects/PROJECT_ID/secrets/SECRET_NAME/versions/VERSION) or shorthand (PROJECT_ID/SECRET_NAME)
You can configure vault settings using:
- Command line arguments (
--vault-type,--vault-region) - Environment variables (
VAULT_TYPE,VAULT_REGION)
Want to add support for a new vault? See our Contributing Guide for details on how to implement new vault plugins.