Benchmark Vault performance

28min
|
Vault
Interactive

Operating Vault in an efficient manner to support your use cases requires that you are able to accurately measure its performance. Ideally, you can benchmark and measure performance in environments which resemble production use cases to produce realistic results.

Challenge

You need to measure Vault performance in a meaningful way, and in an environment that also resembles that of your intended use case with respect to compute resources.

The Vault server under test should have the same auth methods and secrets engines enabled, along with example secrets, leases, and token data present to accurately simulate your use cases.

Solution

HashiCorp provides the open source utility vault-benchmark to help you measure Vault performance at a granular level using several of the available auth methods and secrets engines.

You can use vault-benchmark as a command line interface, as a Docker image, or as a Kubernetes workload to match the infrastructure you're using for Vault.

Personas

The end-to-end scenario and lab sandbox described in this tutorial involves one persona.

The persona is a Vault operator with privileged permissions to enable and disable auth methods and secrets engines. You perform all the tasks in the hands-on scenario as this persona.

Prerequisites

You need the following resources to complete the hands-on scenario based on whether you'll use the Vault community edition with CLI, Docker, Kubernetes, or HCP Vault Dedicated.

To complete the lab sandbox using CLI versions of Vault and vault-benchmark, you need the following:

Vault binary installed and in your system PATH.
vault-benchmark binary installed and in your system PATH.

Launch Terminal

This tutorial includes a free interactive command-line lab that lets you follow along on actual cloud infrastructure.

Versions used for this tutorial

This tutorial was last tested 05 Mar 2026 on macOS using the following software versions.

Operating System

$ sw_vers --productVersion
26.3

Vault

$ vault version
Vault v1.21.0 (818ca8b3575ea937ca48b640baf35e1b2ede1833), built 2025-10-21T19:33:18Z

vault-benchmark

$ vault-benchmark version
vault-benchmark v0.3.0

Docker server

$ docker version --format '{{.Server.Version}}'
29.2.1

Curl

$ curl --version | head -n 1 | awk '{print $2}'
8.7.1

$ jq --version
jq-1.8.1

helm

$ helm version --short
v4.1.1+g5caf004

minikube

$ minikube version
minikube version: v1.38.1
commit: c93a4cb9311efc66b90d33ea03f75f2c4120e9b0

Lab setup

The setup for this tutorial's lab sandbox is different depending on whether you want to experiment with vault-benchmark in the CLI with a dev mode server, in the CLI with a Vault Dedicated server, in Docker, or in Kubernetes.

Create local lab sandbox home

You can create a temporary directory to hold all the content needed for this lab sandbox and then assign its path to an environment variable for later reference.

Open a terminal, and create the directory /tmp/learn-vault-benchmark.
```
$ mkdir /tmp/learn-vault-benchmark
```
Export the lab sandbox directory path as the value to the HC_LEARN_LAB environment variable.
```
$ export HC_LEARN_LAB=/tmp/learn-vault-benchmark
```

Now choose the lab set up workflow that matches the environment you want to use for this lab sandbox.

Run a Vault dev mode server as a background process from your terminal session to follow the self-hosted Vault workflow in this lab sandbox.

Open a terminal and start a Vault dev server with root as the initial root token value.
```
$ vault server \
    -dev \
    -dev-root-token-id root \
    -dev-tls \
    > "$HC_LEARN_LAB"/vault-server.log 2>&1 &
```
The Vault dev server defaults to running at 127.0.0.1:8200. The server logs to the file vault-server.log in the lab sandbox working directory, and gets automatically initialized and unsealed.
Dev mode is not for production
Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database, and you lose access to all data in a dev mode Vault server when you stop the process.

Tail the server log to learn about important environment variables you need to export before you can use Vault.

$ tail -n 15 "$HC_LEARN_LAB"/vault-server.log | head -n 5

Example output:

You may need to set the following environment variables:

    $ export VAULT_ADDR='https://127.0.0.1:8200'
    $ export VAULT_CACERT='/var/folders/4_/_10tk5gn3rd80q2q_nqj_7280000gn/T/vault-tls2551239917/vault-ca.pem'

Export the environment variable for the vault CLI to address the Vault server.
```
$ export VAULT_ADDR='https://127.0.0.1:8200'
```
Export the environment variable for the client to use the Vault server CA certificate.
Note
Use the value from your logs instead of the example value
```
$ export VAULT_CACERT='/var/folders/4_/_10tk5gn3rd80q2q_nqj_7280000gn/T/vault-tls2551239917/vault-ca.pem'
```
Export an environment variable for the vault CLI to authenticate with the Vault server.
```
$ export VAULT_TOKEN=root
```

Check Vault status.

$ vault status

Example output:

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.21.0
Build Date      2025-10-21T19:33:18Z
Storage Type    inmem
Cluster Name    vault-cluster-4f99e7e8
Cluster ID      898011b6-f959-64a9-53fe-31965fa32f91
HA Enabled      false

The Vault server is ready for you to proceed with the lab sandbox.

Run a Vault dev mode Docker container from your terminal session to follow the Docker workflow in this lab sandbox.

Create a Docker network named learn-vault that all containers in this lab sandbox use.

Create the network.

$ docker network create --attachable --subnet 10.42.74.0/24 learn-vault

Start a Vault dev mode container.

$ docker run \
   --ip 10.42.74.100 \
   --name learn-vault \
   --network learn-vault \
   --cap-add=IPC_LOCK \
   --env 'VAULT_DEV_ROOT_TOKEN_ID=root' \
   --env 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \
   --publish 8200:8200 \
   --detach \
   --rm \
   hashicorp/vault server -dev -dev-tls

Example output:

Unable to find image 'hashicorp/vault:latest' locally
latest: Pulling from hashicorp/vault
7264a8db6415: Already exists
7259d51dea60: Pull complete
9dedc4f6c9a3: Pull complete
204d1f409b38: Pull complete
3880cf4bada0: Pull complete
0e0e3fbb3175: Pull complete
bc314563faa5: Pull complete
Digest: sha256:ccbb5fde9d55b3dc57cf8694dea9c988ba0127b205661b652b5264f8d5901a58
Status: Downloaded newer image for hashicorp/vault:latest
6d13077b2c5d9bdafb4e1882eebed9bed02a96b1ee22b1a2d549b767db8e5572

If you've never used the Vault image before, Docker pulls it for you and then starts a container using the image.

Dev mode is not for production

Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database, and you lose access to all data in a dev mode Vault server when you stop the process.

Check the Vault server container logs to learn the CA certificate path so that you can copy the certificate to your host computer temporary directory.

$ docker logs learn-vault 2>&1 | tail -n 14 | head -n 4

Example output:

You may need to set the following environment variables:

    $ export VAULT_ADDR='https://0.0.0.0:8200'
    $ export VAULT_CACERT='/tmp/vault-tls2046455780/vault-ca.pem'

Copy the certificate file from the container to the temporary directory (/tmp) on your host computer.

$ docker cp \
    learn-vault:/tmp/vault-tls2046455780/vault-ca.pem \
    /tmp/vault-ca.pem

Export the environment variable that informs the Vault client of the Vault server's URL and port information.
```
$ export VAULT_ADDR=https://localhost:8200
```
Export an environment variable that the Vault client uses to set the Vault server CA certificate value.
```
$ export VAULT_CACERT=/tmp/vault-ca.pem
```

Check the Vault server's status.

$ vault status

Example output:

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.21.2
Build Date      2026-01-06T08:33:05Z
Storage Type    inmem
Cluster Name    vault-cluster-f0f98634
Cluster ID      51eea9ef-1ad7-d03a-7dbc-4a5a496166e1
HA Enabled      false

The Vault dev mode server Docker container is ready for you to proceed with the lab sandbox.

Deploy Vault into minikube using a Helm chart from your terminal session to follow the Kubernetes workflow in this lab sandbox.

Dive deeper

If you're unfamiliar with this process or would like to dive deeper, review the Vault installation to minikube via Helm with Integrated Storage tutorial.

Start minikube.

$ minikube start

Example output:

😄  minikube v1.38.1 on Darwin 26.3.1 (arm64)
✨  Automatically selected the docker driver. Other choices: qemu2, virtualbox, ssh
❗  Starting v1.39.0, minikube will default to "containerd" container runtime. See #21973 for more info.
📌  Using Docker Desktop driver with root privileges
👍  Starting "minikube" primary control-plane node in "minikube" cluster
🚜  Pulling base image v0.0.50 ...
💾  Downloading Kubernetes v1.35.1 preload ...
    > preloaded-images-k8s-v18-v1...:  243.95 MiB / 243.95 MiB  100.00% 50.45 M
🔥  Creating docker container (CPUs=2, Memory=9200MB) ...
🐳  Preparing Kubernetes v1.35.1 on Docker 29.2.1 ...
🔗  Configuring bridge CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

Check minikube status.

$ minikube status

Example output:

minikube
type: Control Plane
host: Running
kubelet: Running
apiserver: Running
kubeconfig: Configured

Add the HashiCorp Helm repository.

$ helm repo add hashicorp https://helm.releases.hashicorp.com

Example output:

"hashicorp" has been added to your repositories

Update all the repositories to ensure helm is aware of the latest versions.

$ helm repo update

Example output:

Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "secrets-store-csi-driver" chart repository
...Successfully got an update from the "hashicorp" chart repository
Update Complete. ⎈Happy Helming!⎈

Install the Vault server Helm chart to start a dev mode server.

$ helm install vault hashicorp/vault \
    --set "server.dev.enabled=true" \
    --set "server.dev.devRootToken=root" \
    --set "server.extraArgs=--dev-tls"

Example output:

NAME: vault
LAST DEPLOYED: Tue Mar 10 11:22:48 2026
NAMESPACE: default
STATUS: deployed
REVISION: 1
DESCRIPTION: Install complete
NOTES:
Thank you for installing HashiCorp Vault!
...snip...

Running a dev mode server is not for production.

Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database, and you lose access to all data in a dev mode Vault server when you stop the process.

Display all the pods within the default namespace.

$ kubectl get pods

Example output:

NAME                                    READY   STATUS    RESTARTS   AGE
vault-0                                 0/1     Running   0          67s
vault-agent-injector-7655d66c96-t24tk   1/1     Running   0          68s

The Vault dev mode server is running in the pod named vault-0. Check the status as needed, and ensure that both pods have a Running status before continuing.

Check the Vault server status.

$ kubectl exec vault-0 -- sh -c \
    'export VAULT_ADDR=https://127.0.0.1:8200 VAULT_SKIP_VERIFY=1; vault status'

Example output:

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.21.2
Build Date      2026-01-06T08:33:05Z
Storage Type    inmem
Cluster Name    vault-cluster-2248019f
Cluster ID      40cfcac4-a667-19e8-4969-ab95dae33eb9
HA Enabled      false

The Vault dev mode server pod is ready for you to proceed with the lab sandbox.

Deploy a Vault Dedicated developer instance to follow the HCP Vault Dedicated workflow in this lab sandbox.

Dive deeper

If you're unfamiliar with this process or would like to dive deeper, review the Create a Vault cluster on HCP tutorial.

Launch the HCP Portal and login.
Click Vault Dedicated in the left navigation pane.
In the Clusters pane, click the ID of the Vault Dedicated cluster you want to use.
Under Cluster URLs, click the clipboard icon beside Public Cluster URL.
In a terminal, export the VAULT_ADDR environment variable to the copied address.
```
$ export VAULT_ADDR=<Public_Cluster_URL>
```
Return to the Overview page and click Generate token.
Within a few moments, a new token will be generated.
Copy the Admin Token.
Return to the terminal and set the VAULT_TOKEN environment variable.
```
$ export VAULT_TOKEN=<token>
```
Set the VAULT_NAMESPACE environment variable to admin.
```
$ export VAULT_NAMESPACE=admin
```
The admin namespace is the top-level namespace automatically created by HCP Vault. All CLI operations default to use the namespace defined in this environment variable.

Type vault status to verify your connectivity to the Vault cluster.

$ vault status

Example output:

Key                      Value
---                      -----
Seal Type                awskms
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    1
Threshold                1
Version                  1.21.3+ent
Build Date               2026-02-03T23:38:44Z
Storage Type             raft
Cluster Name             4204ac12-4ef7-44bb-b6a1-f363232d5b1d
Cluster ID               f811d088-b8f4-a704-0166-a34fcd956b8b
Removed From Cluster     false
HA Enabled               true
HA Cluster               https://172.25.19.100:8201
HA Mode                  active
Active Since             2026-03-10T16:55:18.621779223Z
Raft Committed Index     1230
Raft Applied Index       1230
Last WAL                 539

The Vault Dedicated server is ready, and you can proceed with the lab.

Now that you've established a working lab, you're ready to explore vault-benchmark and its configuration.

Explore vault-benchmark

Your goal for this section is to explore vault-benchmark using a terminal session. Resources for diving deeper are provided at the section's conclusion.

Check your vault-benchmark version.

$ vault-benchmark version

Example output:

vault-benchmark v0.3.0

You can get help to discover available commands.

$ vault-benchmark --help

Example output:

Usage: vault-benchmark <command> [args]

Command list:
   run         Run vault-benchmark test(s)
   review      Review previous test results

This lab sandbox focuses on your use of the run command. Get help for the run command.

$ vault-benchmark run --help

Long example output

Usage: vault-benchmark run [options]

This command will run a vault-benchmark test.

Run a vault-benchmark test with a configuration file:

   $ vault-benchmark run -config=/etc/vault-benchmark/test.hcl

For a full list of examples, please see the documentation.

Command Options:

-annotate=<string>
      Comma-separated name=value pairs include in bench_running prometheus
      metric. Try name 'testname' for dashboard example.

-audit_path=<string>
      Path to file for audit log.

-ca_pem_file=<string>
      Path to PEM encoded CA file to verify external Vault. This can also be
      specified via the VAULT_CACERT environment variable.

-cleanup
      Cleanup benchmark artifacts after run. The default is false.

-cluster_json=<string>
      Path to cluster.json file

-config=<string>
      Path to a vault-benchmark test configuration file.

-debug
      Run vault-benchmark in Debug mode. The default is false.

-disable_http2
      Force HTTP/1.1 The default is false.

-duration=<duration>
      Test Duration. The default is 10s.

-log_level=<string>
      Level to emit logs. Options are: INFO, WARN, DEBUG, TRACE. The default
      is INFO. This can also be specified via the VAULT_BENCHMARK_LOG_LEVEL
      environment variable.

-pprof_interval=<duration>
      Collection interval for vault debug pprof profiling.

-random_mounts
      Use random mount names. The default is true.

-report_mode=<string>
      Reporting Mode. Options are: terse, verbose, json. The default is terse.

-rps=<int>
      Requests per second. Setting to 0 means as fast as possible.

-vault_addr=<string>
      Target Vault API Address. The default is http://127.0.0.1:8200. This can
      also be specified via the VAULT_ADDR environment variable.

-vault_namespace=<string>
      Vault Namespace to create test mounts. This can also be specified via
      the VAULT_NAMESPACE environment variable.

-vault_token=<string>
      Vault Token to be used for test setup. This can also be specified via
      the VAULT_TOKEN environment variable.

-workers=<int>
      Number of workers The default is 10.

Pull the vault-benchmark Docker image.

$ docker pull hashicorp/vault-benchmark

Example output:

Using default tag: latest
latest: Pulling from hashicorp/vault-benchmark
Digest: sha256:3f0ebc573b2615db5070bcfa724bd952c4b9f1679f17f7bf3ad3e678bb36a434
Status: Image is up to date for hashicorp/vault-benchmark:latest
docker.io/hashicorp/vault-benchmark:latest

Check your vault-benchmark version.

$ docker run hashicorp/vault-benchmark vault-benchmark version

Example output:

vault-benchmark v0.3.0

You can get help to discover available commands.

$ docker run hashicorp/vault-benchmark vault-benchmark --help

Example output:

Usage: vault-benchmark <command> [args]

Command list:
   run         Run vault-benchmark test(s)
   review      Review previous test results

This lab sandbox focuses on your use of the run command. Get help for the run command.

$ docker run hashicorp/vault-benchmark vault-benchmark run --help

Long example output

Usage: vault-benchmark run [options]

This command will run a vault-benchmark test.

Run a vault-benchmark test with a configuration file:

   $ vault-benchmark run -config=/etc/vault-benchmark/test.hcl

For a full list of examples, please see the documentation.

Command Options:

-annotate=<string>
      Comma-separated name=value pairs include in bench_running prometheus
      metric. Try name 'testname' for dashboard example.

-audit_path=<string>
      Path to file for audit log.

-ca_pem_file=<string>
      Path to PEM encoded CA file to verify external Vault. This can also be
      specified via the VAULT_CACERT environment variable.

-cleanup
      Cleanup benchmark artifacts after run. The default is false.

-cluster_json=<string>
      Path to cluster.json file

-config=<string>
      Path to a vault-benchmark test configuration file.

-debug
      Run vault-benchmark in Debug mode. The default is false.

-disable_http2
      Force HTTP/1.1 The default is false.

-duration=<duration>
      Test Duration. The default is 10s.

-log_level=<string>
      Level to emit logs. Options are: INFO, WARN, DEBUG, TRACE. The default
      is INFO. This can also be specified via the VAULT_BENCHMARK_LOG_LEVEL
      environment variable.

-pprof_interval=<duration>
      Collection interval for vault debug pprof profiling.

-random_mounts
      Use random mount names. The default is true.

-report_mode=<string>
      Reporting Mode. Options are: terse, verbose, json. The default is terse.

-rps=<int>
      Requests per second. Setting to 0 means as fast as possible.

-vault_addr=<string>
      Target Vault API Address. The default is http://127.0.0.1:8200. This can
      also be specified via the VAULT_ADDR environment variable.

-vault_namespace=<string>
      Vault Namespace to create test mounts. This can also be specified via
      the VAULT_NAMESPACE environment variable.

-vault_token=<string>
      Vault Token to be used for test setup. This can also be specified via
      the VAULT_TOKEN environment variable.

-workers=<int>
      Number of workers The default is 10.

You can explore the vault-benchmark documentation to learn more about configuring it.

The available tests documentation describes all of the available tests and their configuration. You can use this information to configure a vault-benchmark Kubernetes job.

You'll use an example benchmark configuration that includes the Kubernetes auth method; the Kubernetes auth benchmark documentation covers all of the available parameters, caveats, and a usage example for this benchmark.

All benchmark tests are documented in a similar way.

Check your vault-benchmark version.

$ vault-benchmark version

Example output:

vault-benchmark v0.3.0

You can get help to discover available commands.

$ vault-benchmark --help

Example output:

Usage: vault-benchmark <command> [args]

Command list:
   run         Run vault-benchmark test(s)
   review      Review previous test results

This lab sandbox focuses on your use of the run command. Get help for the run command.

$ vault-benchmark run --help

Long example output

Usage: vault-benchmark run [options]

This command will run a vault-benchmark test.

Run a vault-benchmark test with a configuration file:

   $ vault-benchmark run -config=/etc/vault-benchmark/test.hcl

For a full list of examples, please see the documentation.

Command Options:

-annotate=<string>
      Comma-separated name=value pairs include in bench_running prometheus
      metric. Try name 'testname' for dashboard example.

-audit_path=<string>
      Path to file for audit log.

-ca_pem_file=<string>
      Path to PEM encoded CA file to verify external Vault. This can also be
      specified via the VAULT_CACERT environment variable.

-cleanup
      Cleanup benchmark artifacts after run. The default is false.

-cluster_json=<string>
      Path to cluster.json file

-config=<string>
      Path to a vault-benchmark test configuration file.

-debug
      Run vault-benchmark in Debug mode. The default is false.

-disable_http2
      Force HTTP/1.1 The default is false.

-duration=<duration>
      Test Duration. The default is 10s.

-log_level=<string>
      Level to emit logs. Options are: INFO, WARN, DEBUG, TRACE. The default
      is INFO. This can also be specified via the VAULT_BENCHMARK_LOG_LEVEL
      environment variable.

-pprof_interval=<duration>
      Collection interval for vault debug pprof profiling.

-random_mounts
      Use random mount names. The default is true.

-report_mode=<string>
      Reporting Mode. Options are: terse, verbose, json. The default is terse.

-rps=<int>
      Requests per second. Setting to 0 means as fast as possible.

-vault_addr=<string>
      Target Vault API Address. The default is http://127.0.0.1:8200. This can
      also be specified via the VAULT_ADDR environment variable.

-vault_namespace=<string>
      Vault Namespace to create test mounts. This can also be specified via
      the VAULT_NAMESPACE environment variable.

-vault_token=<string>
      Vault Token to be used for test setup. This can also be specified via
      the VAULT_TOKEN environment variable.

-workers=<int>
      Number of workers The default is 10.

Configure benchmark

Your goal for this section is to configure vault-benchmark for a basic benchmark run.

Vault Benchmark is configured with a HashiCorp Configuration Language (HCL) file. You can use the example configuration shown in the Usage documentation in this lab sandbox.

Here is the entire example configuration file with detailed explanation of each configuration entry.

vault-benchmark-config.hcl

vault_addr = "https://127.0.0.1:8200"
vault_token = "root"
vault_namespace="root"
duration = "30s"
cleanup = true

test "approle_auth" "approle_logins" {
  weight = 50
  config {
    role {
      role_name = "benchmark-role"
      token_ttl="2m"
    }
  }
}

test "kvv2_write" "static_secret_writes" {
  weight = 50
  config {
    numkvs = 100
    kvsize = 100
  }
}

Lines 1-5 are global parameters:

vault_addr: the full URL plus port for the Vault server to benchmark.
vault_token: the literal token value for a token with capabilities to enable and manage secrets engines and auth methods. In this lab sandbox, the initial root token value is used, but you should not use a root token in production this way.
vault_namespace: the name of the Enterprise namespace to use for the benchmark.
duration: number of seconds to run the benchmark.
cleanup: whether to remove all resources created by the benchmark run.

Benchmark in production not recommended.

You should benchmark Vault servers dedicated to the purpose, but not production servers. The benchmark can adversely affect performance of the server, and does not make guarantees about cleanup of artifacts created during the benchmark run.

Lines 7-15 and 17-23 represent the 2 tests making up this benchmark configuration. This test configuration runs two different tests, an approle_auth test and a kvv2_write test, with the percentage of requests split evenly between the two.

The first test beginning at line 7, is for AppRole auth method logins. Note that the first parameter is weight. You can think of this as a percentage of the entire workload. This means that the benchmark performs AppRole logins 50% of the time throughout the entire run.

You can configure a test in its config stanza. In this test, role_name specifies the auth method role name benchmark-role. Each token Vault issues after an AppRole login with the benchmark-role is configured with a token_ttl value of 2 minutes to specify the token's time-to-live (TTL). You can learn more about available parameters in the AppRole auth method benchmark documentation.

The second test beginning at line 17, is for Key/Value version 2 secrets engine writes. This test takes the remaining 50% of benchmark operations with its weight setting. It also uses numkvs to specify that 100 key/value secrets be written, and kvsize to limit each value to 100 bytes. Available parameters are documented in the KV v1 and KV v2 secret benchmark documentation

You can learn more about all the tests in the vault-benchmark test documentation.

Now that you've reviewed the example configuration, you need to change it a bit to function with the Vault cluster you're using.

In the lab setup section, you set the VAULT_ADDR and VAULT_TOKEN (and VAULT_NAMESPACE for Vault Dedicated) environment variables for communicating to your Vault cluster.

Values from environment variables override anything specified in the vault-benchmark configuration file.

With this in mind, you can set the vault_addr, vault_token, and vault_namespace values to an empty string. Their values come from the environment variables you set.

root namespace by default

If you're using a Vault cluster that is not in HCP, you might recall that you did not export a VAULT_NAMESPACE environment variable during your lab setup.

vault-benchmark uses the root namespace by default when there is no value set in the configuration file. Specifying it is unnecessary unless you're using HCP Vault Dedicated or a Vault Enterprise cluster with a namespace that is not root.

These steps apply equally to self-hosted, Docker and Vault Dedicated.

Return to your terminal session and write the configuration file to /tmp/learn-vault-benchmark/vault-benchmark-config.hcl.

$ cat > "$HC_LEARN_LAB"/vault-benchmark-config.hcl << EOF
vault_addr = ""
vault_token = ""
vault_namespace=""
duration = "30s"
cleanup = true

test "approle_auth" "approle_logins" {
weight = 50
config {
   role {
      role_name = "benchmark-role"
      token_ttl="2m"
   }
}
}

test "kvv2_write" "static_secret_writes" {
weight = 50
config {
   numkvs = 100
   kvsize = 100
}
}
EOF

You've configured vault-benchmark for 2 tests, and they're now ready for you to run them.

You can configure vault-benchmark for Kubernetes as a job file. Here is the complete example from the vault-benchmark repository.

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-benchmark

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: vault-benchmark-configmap
data:
  k8s.hcl: |
    # Basic Benchmark config options
    vault_addr = "https://vault:8200"
    vault_token = "root"
    duration = "10s"
    report_mode = "terse"
    random_mounts = true
    cleanup = true

    test "kube_auth" "kube_auth_test1" {
      weight = 100
      config {
        auth {
          kubernetes_host = "https://kubernetes.default.svc"
        }
        role {
          name = "vault-benchmark-role"
          bound_service_account_names = ["vault-benchmark"]
          bound_service_account_namespaces = ["*"]
          token_max_ttl = "24h"
          token_ttl = "1h"
        }
      }
    }

---
apiVersion: batch/v1
kind: Job
metadata:
  name: vault-benchmark
spec:
  backoffLimit: 0
  template:
    metadata:
      name: vault-benchmark
      labels:
        app: vault-benchmark
    spec:
      containers:
      - name: vault-benchmark
        image: hashicorp/vault-benchmark:latest
        imagePullPolicy: IfNotPresent
        command: ["vault-benchmark"]
        env:
        - name: VAULT_ADDR
          value: "https://vault:8200"
        - name: VAULT_SKIP_VERIFY
          value: "1"
        args: [
          "run",
          "-config=/config/k8s.hcl",
        ]
        volumeMounts:
        - name: benchmark-config
          mountPath: "/config"
          readOnly: true
      restartPolicy: Never
      serviceAccountName: vault-benchmark
      volumes:
      - name: benchmark-config
        configMap:
          name: vault-benchmark-configmap

This benchmark has one test named kube_auth_test1, that performs Kubernetes auth method logins.

You'll work with an edited version that changes the following settings.

Benchmark duration is increased to 30s.
Adds a second test of KV v2 secret writes.
Sets each test's weight to 50.

Create the job file /tmp/learn-vault-benchmark/vault-benchmark-job.yaml, paste the following updated configuration into it, and save it.

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-benchmark

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: vault-benchmark-configmap
data:
  k8s.hcl: |
    # Basic Benchmark config options
    vault_addr = "https://vault:8200"
    vault_token = "root"
    duration = "30s"
    report_mode = "terse"
    random_mounts = true
    cleanup = true

    test "kube_auth" "kube_auth_test1" {
      weight = 50
      config {
        auth {
          kubernetes_host = "https://kubernetes.default.svc"
        }
        role {
          name = "vault-benchmark-role"
          bound_service_account_names = ["vault-benchmark"]
          bound_service_account_namespaces = ["*"]
          token_max_ttl = "24h"
          token_ttl = "1h"
        }
      }
    }
    test "kvv2_write" "static_secret_writes" {
      weight = 50
      config {
        numkvs = 100
        kvsize = 100
      }
    }

---
apiVersion: batch/v1
kind: Job
metadata:
  name: vault-benchmark
spec:
  backoffLimit: 0
  template:
    metadata:
      name: vault-benchmark
      labels:
        app: vault-benchmark
    spec:
      containers:
      - name: vault-benchmark
        image: hashicorp/vault-benchmark:latest
        imagePullPolicy: IfNotPresent
        command: ["vault-benchmark"]
        env:
        - name: VAULT_ADDR
          value: "https://vault:8200"
        - name: VAULT_SKIP_VERIFY
          value: "1"
        args: [
          "run",
          "-config=/config/k8s.hcl",
        ]
        volumeMounts:
        - name: benchmark-config
          mountPath: "/config"
          readOnly: true
      restartPolicy: Never
      serviceAccountName: vault-benchmark
      volumes:
      - name: benchmark-config
        configMap:
          name: vault-benchmark-configmap

You're now ready to run the benchmark.

Run benchmark

Your goal for this section is to run vault-benchmark with the configuration that you just created.

Run the benchmark.

$ vault-benchmark run \
    -config="$HC_LEARN_LAB"/vault-benchmark-config.hcl

Example output:

2026-03-05T12:04:17.912-0500 [INFO]  vault-benchmark: setting up targets
2026-03-05T12:04:20.042-0500 [INFO]  vault-benchmark: starting benchmarks: duration=30s
2026-03-05T12:04:50.044-0500 [INFO]  vault-benchmark: cleaning up targets
2026-03-05T12:05:05.590-0500 [INFO]  vault-benchmark: benchmark complete
Target: https://127.0.0.1:8200
op                    count   rate         throughput   mean       95th%       99th%       successRatio
approle_logins        210721  7023.818619  7023.695679  720.46µs   1.639838ms  2.775216ms  100.00%
static_secret_writes  209678  6989.393786  6989.032447  685.226µs  1.55472ms   2.704063ms  100.00%

Run the benchmark.

$ docker run \
    --volume="$HC_LEARN_LAB":/vault/config \
    --volume=/tmp:/local_tmp \
    --ip 10.42.74.200 \
    --name learn-vault-benchmark \
    --network learn-vault \
    --env 'VAULT_TOKEN=root' \
    --env 'VAULT_ADDR=https://10.42.74.100:8200' \
    --env 'VAULT_CACERT=/local_tmp/vault-ca.pem' \
    --env 'VAULT_SKIP_VERIFY=1' \
    --rm \
    hashicorp/vault-benchmark vault-benchmark run -config=/vault/config/vault-benchmark-config.hcl

Example output:

2026-03-05T17:23:06.468Z [INFO]  vault-benchmark: setting up targets
2026-03-05T17:23:08.576Z [INFO]  vault-benchmark: starting benchmarks: duration=30s
2026-03-05T17:23:38.579Z [INFO]  vault-benchmark: cleaning up targets
2026-03-05T17:23:52.130Z [INFO]  vault-benchmark: benchmark complete
Target: https://10.42.74.100:8200
op                    count   rate         throughput   mean        95th%       99th%       successRatio
approle_logins        145220  4840.712315  4840.589390  1.036651ms  2.029165ms  3.678398ms  100.00%
static_secret_writes  144981  4832.722987  4832.683077  1.000902ms  1.987908ms  3.565152ms  100.00%

Run the benchmark.

$ kubectl apply -f "$HC_LEARN_LAB"/vault-benchmark-job.yaml

Example output:

serviceaccount/vault-benchmark created
configmap/vault-benchmark-configmap created
job.batch/vault-benchmark created

Get the pods.

$ kubectl get pods
NAME                                    READY   STATUS    RESTARTS   AGE
vault-0                                 0/1     Running   0          16m
vault-agent-injector-848dd747d7-dx8kp   1/1     Running   0          16m
vault-benchmark-kzxkw                   1/1     Running   0          3s

The benchmark is running in the vault-benchmark-kzxkw pod.

Examine the results by following the logs.

$ kubectl logs --follow vault-benchmark-kzxkw

2026-03-10T16:26:59.008Z [INFO]  vault-benchmark: setting up targets
2026-03-10T16:27:01.229Z [INFO]  vault-benchmark: starting benchmarks: duration=30s
2026-03-10T16:27:31.276Z [INFO]  vault-benchmark: cleaning up targets
2026-03-10T16:27:36.418Z [INFO]  vault-benchmark: benchmark complete
Target: https://vault:8200
op                    count  rate         throughput   mean        95th%        99th%        successRatio
kube_auth_test1       42278  1409.784456  1407.075732  4.779916ms  23.443517ms  70.551602ms  100.00%
static_secret_writes  41775  1390.375064  1390.333186  2.298398ms  2.599187ms   58.897706ms  100.00%

Run the benchmark.

$ vault-benchmark run \
    -config="$HC_LEARN_LAB"/vault-benchmark-config.hcl

Example output:

2026-03-10T13:04:10.077-0400 [INFO]  vault-benchmark: setting up targets
2026-03-10T13:04:39.710-0400 [INFO]  vault-benchmark: starting benchmarks: duration=30s
2026-03-10T13:05:09.924-0400 [INFO]  vault-benchmark: cleaning up targets
2026-03-10T13:05:38.748-0400 [INFO]  vault-benchmark: benchmark complete
Target: https://example-public-vault-8675309.c0ff3366.z0.hashicorp.cloud:8200
op                    count  rate       throughput  mean          95th%         99th%         successRatio
approle_logins        1057   35.232512  29.160321   142.55703ms   182.999558ms  252.57201ms   83.35%
static_secret_writes  1095   36.522055  30.800136   137.212236ms  171.060724ms  276.173752ms  84.75%

Review the output

The benchmark output is tabular by default. This example is from the self-hosted dev mode server, but the output will be similar for Vault in any environment.

2026-03-05T12:05:42.312-0500 [INFO]  vault-benchmark: setting up targets
2026-03-05T12:05:44.376-0500 [INFO]  vault-benchmark: starting benchmarks: duration=30s
2026-03-05T12:06:14.377-0500 [INFO]  vault-benchmark: cleaning up targets
2026-03-05T12:06:29.601-0500 [INFO]  vault-benchmark: benchmark complete
Target: https://127.0.0.1:8200
op                    count   rate         throughput   mean       95th%       99th%       successRatio
approle_logins        205869  6862.296969  6862.225774  734.673µs  1.716825ms  2.77376ms   100.00%
static_secret_writes  206253  6875.167739  6875.069110  698.976µs  1.623511ms  2.740157ms  100.00%

The first 4 lines are log outputs from vault-benchmark which describe its current actions.

The 5th line shows the benchmark target URL, and the 6th line represents headings for the metric data.

The data metrics are as follows for the last 2 lines, which represent each of the 2 benchmark tests you configured.

op: the test name.
count: the number of tests completed during the benchmark duration.
rate: the true operations per second rate of all tests of this type.
throughput: the operations per second rate of all successful tests of this type.
mean: the mean time in milliseconds per operation.
95th%: the 95th percentile time in milliseconds per operation.
99th%: the 99th percentile time in milliseconds per operation.
successRatio: the percentage of successful tests of this type. When tests are not successful, you should consult the Vault operational and audit logs for details on the unsuccessful tests.

Tip

You can also output the benchmark results as JSON with the -report_mode=json flag.

Cleanup

Follow the steps for the environment you used in the lab sandbox to clean up.

Stop the Vault dev mode server.
```
$ pkill vault
```
Remove the lab sandbox directory.
```
$ rm -rf "$HC_LEARN_LAB"
```

Unset environment variables.

$ unset VAULT_ADDR VAULT_CACERT VAULT_TOKEN

Remove cached Vault token.
```
$ rm -f ~/.vault-token
```

Stop the Vault dev mode container; Docker will automatically remove the container.
```
$ docker stop learn-vault
```
Remove the Docker network.
```
$ docker network rm learn-vault
```
Remove the lab sandbox directory.
```
$ rm -rf "$HC_LEARN_LAB"
```

Unset environment variables.

$ unset VAULT_ADDR VAULT_CACERT VAULT_TOKEN

Delete the benchmark job.

$ kubectl delete jobs/vault-benchmark

Example output:

job.batch "vault-benchmark" deleted from default namespace

Uninstall the Vault server Helm chart to stop and remove the Vault pods.
```
$ helm uninstall vault
```
Example output:
```
release "vault" uninstalled
```

Delete minikube instance to stop it.

$ minikube delete
🔥  Deleting "minikube" in docker ...
🔥  Deleting container "minikube" ...
🔥  Removing /Users/brian/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.

Remove the lab sandbox directory.
```
$ rm -rf "$HC_LEARN_LAB"
```
Unset environment variables.
```
$ unset VAULT_ADDR VAULT_TOKEN
```

If you do not need your Vault Dedicated or HashiCorp Virtual Network resources any longer, access the HCP portal and delete the Vault cluster and HVN.
Remove the lab sandbox directory.
```
$ rm -rf "$HC_LEARN_LAB"
```
Unset environment variables.
```
$ unset VAULT_ADDR VAULT_TOKEN
```

Next steps

You learned the basics around the Vault Benchmark tool, including how to configure and run a benchmark. You also learned about the default benchmark output, and available documentation resources for Vault Benchmark.

To dive deeper into Vault performance, consider reviewing the HashiCorp Well Architected Framework on identifying metrics, performance tuning and production hardening documentation.

Help and reference

Migrate with codified configuration

Protect against resource exhaustion