Formats/Vagrant

Private, secure Vagrant box repositories for every team

Cloudsmith gives your teams a fully managed, private Vagrant box registry with fine-grained access control, vulnerability scanning, and global distribution. Stop wrestling with DIY registries and HCP migration friction - store and distribute Vagrant boxes with confidence alongside every other format your teams use.

Universal format support

Centralize your Vagrant boxes. Cloudsmith is a secure, managed store for boxes, containers, and every artifact your teams depend on.

  • Use Vagrant + 30 other formats in one place
  • Store boxes alongside container images, OS packages, and raw assets
  • Manage your entire software supply chain from a single, centralized registry

How we support Vagrant

Cloudsmith gives you a fully managed Vagrant box registry that handles storage, security, and distribution so your teams can focus on building consistent environments.
    Private box hosting
    Push and pull Vagrant boxes using native Vagrant tooling. Cloudsmith acts as a fully compatible private registry with token-based authentication and per-repository access control.
    Security scanning
    Every box upload is scanned for vulnerabilities. Apply OPA Rego policies to block non-compliant artifacts before they reach developer machines.
    Global distribution
    Cloudsmith's CDN-backed network with 600+ edge points of presence ensures fast box downloads for distributed teams wherever they are.
    Multi-format repositories
    Store Vagrant boxes alongside Docker images, RPM, Debian, Helm charts, and 26 other formats in a single Cloudsmith repository - no extra tooling required.
    Full audit and observability
    Every push and pull is logged. Client logs, audit trails, and analytics give your security and ops teams complete visibility over who accessed what and when.

Why teams choose Cloudsmith for Vagrant

Moving from ad-hoc box hosting or HCP Vagrant to Cloudsmith gives your teams fine-grained access control, security scanning, and a single registry for every format - eliminating the operational friction that slows builds and increases risk.
Without CloudsmithTeams roll their own Nginx or Apache file server to host boxes privately, with no authentication, no versioning enforcement, and no security scanning. Any team member with network access can pull any box.
With CloudsmithCloudsmith gives you a fully managed private registry with token-based auth, granular per-repository permissions, and automated vulnerability scanning on every upload - zero infrastructure to maintain.
Without CloudsmithHCP Vagrant does not support box or registry-level access restrictions, making it impossible to limit which developers or CI systems can pull a given box. Sensitive base images are exposed to the entire organisation.
With CloudsmithCloudsmith's flexible permission model lets you scope access at the organisation, repository, or user level. OIDC and SAML/SSO integration slots into your existing identity provider without custom tooling.
Without CloudsmithVagrant boxes are stored in a separate silo from containers, OS packages, and other artifacts. Teams maintain multiple registries, multiple credential sets, and multiple billing relationships.
With CloudsmithCloudsmith centralises Vagrant boxes alongside Docker images, Helm charts, Debian, RPM, and 26 other formats. One registry, one set of credentials, one audit log - for every artifact your team touches.

Signs you're ready to switch to Cloudsmith for Vagrant

If your current Vagrant box hosting is held together with scripts, S3 buckets, or an unmaintained self-hosted server, Cloudsmith is the managed upgrade your team actually needs.
    No access controls on your boxes
    If your box registry treats all users equally and you have no way to restrict who can pull or publish, you are one credential leak away from exposing your base images to anyone.
    Boxes are never scanned for vulnerabilities
    Vagrant boxes bundle entire OS images. Without automated vulnerability scanning on every upload, outdated or compromised packages reach developer machines unchecked.
    Slow downloads for remote or distributed teams
    A single-region or self-hosted file server means remote developers wait minutes to pull large box files. Cloudsmith's global CDN cuts download times for every location.
    Managing separate registries for each format
    If your team runs one server for Vagrant, another for Docker, and another for OS packages, you are paying the hidden cost of fragmented tooling, fragmented auditing, and fragmented on-call.
    Painful HCP Vagrant migration friction
    HCP Vagrant migration has broken authentication, provider metadata, and upload workflows for many teams. Cloudsmith gives you a stable, API-first alternative with no surprise breaking changes.

Get started with Vagrant on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith acts as a fully compatible private Vagrant registry. You configure your VAGRANT_SERVER_URL or box_url to point at your Cloudsmith repository and use the Vagrant CLI to push and pull boxes exactly as you would with any other registry.

  2. Cloudsmith uses API key authentication. You set your credentials using the standard Vagrant Cloud token environment variable or via the Vagrantfile. Cloudsmith also supports OIDC for machine-to-machine auth in CI/CD pipelines, removing the need to store long-lived secrets.

  3. Yes. Cloudsmith gives you repository-level and organisation-level permissions. You can grant read, write, or admin access to individual users, teams, or service accounts. This means you can keep base images containing sensitive configuration private to specific groups while sharing general-purpose boxes more broadly.

  4. Yes. Every box uploaded to Cloudsmith is scanned for known vulnerabilities using Cloudsmith's integrated scanning engine. You can define OPA Rego policies that automatically quarantine or block boxes that fail your security thresholds before they reach developer machines.

  5. Yes. Cloudsmith repositories are multi-format by default. You can store Vagrant boxes alongside Docker images, Debian packages, RPM, Helm charts, and 26 other formats in a single repository, with a unified audit log and a single set of credentials.

  6. Cloudsmith stores and serves box metadata including version strings and provider names, matching the Vagrant box catalog format. You can publish new versions of a box and consumers will receive the correct version when they run vagrant box update.

  7. Yes. HCP Vagrant does not currently support box or registry-level access restrictions, and the migration from Vagrant Cloud has caused authentication and metadata issues for many teams. Cloudsmith gives you a stable, enterprise-ready alternative with fine-grained access control, vulnerability scanning, and no migration surprises.

  8. Cloudsmith is backed by a CDN with over 600 edge points of presence globally. Large Vagrant box files are served close to wherever your developers are, reducing download times significantly compared to a single-region or self-hosted file server.

  9. Yes. You can push existing box files to Cloudsmith using the Cloudsmith CLI or REST API. Cloudsmith supports bulk uploads and retains your existing version metadata, making migration straightforward whether you are coming from HCP Vagrant, Vagrant Cloud, or a self-hosted file server.

  10. Yes. Cloudsmith supports SAML/SSO and SCIM for identity management, so your existing identity provider controls who can access Vagrant repositories. You can enforce MFA and provision or deprovision access automatically as team membership changes.

Formats

There’s more than just Vagrant on Cloudsmith