.env

# Your env var to resolve : kvStore:key[:version]
VAULT_TEST=api:test

HashiCorpVaultParameterResolver.php

<?php

namespace App\Config;

use Psr\Log\LoggerInterface;
use Symfony\Component\DependencyInjection\EnvVarProcessorInterface;
use Symfony\Contracts\HttpClient\Exception\ClientExceptionInterface;
use Symfony\Contracts\HttpClient\Exception\DecodingExceptionInterface;
use Symfony\Contracts\HttpClient\Exception\RedirectionExceptionInterface;
use Symfony\Contracts\HttpClient\Exception\ServerExceptionInterface;
use Symfony\Contracts\HttpClient\Exception\TransportExceptionInterface;
use Symfony\Contracts\HttpClient\HttpClientInterface;

class VaultParameterResolver implements EnvVarProcessorInterface
{
    public const VAULT_URL = 'http://vault:8200';

    private HttpClientInterface $httpClient;
    private string              $vaultToken;
    private LoggerInterface     $logger;
    private string              $vaultUri;

    public function __construct(
        HttpClientInterface $httpClient,
        LoggerInterface $logger,
        string $vaultUri = self::VAULT_URL,
        string $vaultToken = ''
    ) {
        $this->httpClient = $httpClient;
        $this->vaultToken = $vaultToken;
        $this->logger     = $logger;
        $this->vaultUri   = $vaultUri;
    }

    /**
     * @param string   $prefix
     * @param string   $name The name of the env var
     * @param \Closure $getEnv
     *
     * @return mixed|null
     */
    public function getEnv(string $prefix, string $name, \Closure $getEnv)
    {
        $nameValue = $getEnv($name);                        // We get the env var value
        $params    = explode(':', $nameValue);    // Get the parameters kvStore:key[:version]

        return $this->getValue(...$params);             // Return the value
    }

    public static function getProvidedTypes(): array
    {
        return ['vault' => 'string'];                           // Vault will always return a string in kv
    }

    private function getValue(string $secretKV, string $key, int $version = null)
    {
        $data    = [];
        $options = [
            'headers' => [
                'X-Vault-Token' => $this->vaultToken            // Set you vault token
            ],
        ];

        if ($version !== null) {
            $options['query']['version'] = $version;           // If we have a version, set it in the query
        }

        try {
            $res = $this->httpClient->request(
                'GET',
                $this->vaultUri . '/v1/secret/data/' . $secretKV,
                $options
            );

            $data = $res->toArray()['data'];                    // Retrieve your configuration
        } catch (TransportExceptionInterface|ClientExceptionInterface|DecodingExceptionInterface|RedirectionExceptionInterface|ServerExceptionInterface $e) {
            $this->logger->critical($e->getMessage());
        }

        $values = $data['data'] ?? [];

        if (!array_key_exists($key, $values)) {     // If the key does not exist, just return null.
            return null;                                        // You could also throw an MissingParameterException for example.
        }

        return $values[$key];                                   // Return your value
    }
}

services.yaml

parameters:
    # Use the `vault` prefix to process it through the HashiCorpVaultParameterResolver
    'vault.test': "%env(vault:VAULT_TEST)%"