Verified steps

Enable CAS requirement at the mount level: 'vault write secret/config cas_required=true'
Or set CAS per-key in metadata: 'vault kv metadata put -custom-metadata=owner=team1 -cas-required=true secret/myapp/config'
On first write pass cas=0 to assert the key does not yet exist: 'vault kv put -cas=0 secret/myapp/config key=<VALUE>'
On subsequent writes pass the current version number: 'vault kv put -cas=3 secret/myapp/config key=<NEW_VALUE>'
If a concurrent writer already incremented the version, the write returns a 400 'check-and-set parameter did not match'; read the current version and retry
Read the current version before a write with 'vault kv get -format=json secret/myapp/config | jq .data.metadata.version'

Known gotchas

CAS=0 only succeeds if the key has never been written or all versions have been destroyed; a soft-deleted key still fails CAS=0
The cas_required flag on the mount overrides per-key settings; any write without a cas parameter will be rejected globally
Response wrapping a KV v2 write bypasses CAS semantics — do not combine response wrapping with CAS-protected paths

developer.hashicorp.com · 6 steps · unrated

Write a Vault ACL policy with fine-grained capabilities including 'deny' override and required parameters

vaultproject.io · 6 steps · unrated

Inject Vault secrets into Kubernetes pods using the Vault Agent sidecar injector

developer.hashicorp.com/vault/docs/platform/k8s/injector · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Configure Vault KV v2 check-and-set (CAS) to prevent concurrent secret overwrites

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes