diff --git a/awx/main/tests/functional/test_credential_plugins.py b/awx/main/tests/functional/test_credential_plugins.py
index 8ff8093c34..6bd4f9cdb2 100644
--- a/awx/main/tests/functional/test_credential_plugins.py
+++ b/awx/main/tests/functional/test_credential_plugins.py
@@ -1,3 +1,8 @@
+import pytest
+from unittest import mock
+from awx.main.credential_plugins import hashivault
+
+
 def test_imported_azure_cloud_sdk_vars():
     from awx.main.credential_plugins import azure_kv
 
@@ -5,3 +10,69 @@ def test_imported_azure_cloud_sdk_vars():
     assert all([hasattr(c, 'name') for c in azure_kv.clouds])
     assert all([hasattr(c, 'suffixes') for c in azure_kv.clouds])
     assert all([hasattr(c.suffixes, 'keyvault_dns') for c in azure_kv.clouds])
+
+
+def test_hashivault_approle_auth():
+    kwargs = {
+      'role_id': 'the_role_id',
+      'secret_id': 'the_secret_id',
+    }
+    expected_res = {
+      'role_id': 'the_role_id',
+      'secret_id': 'the_secret_id',
+    }
+    res = hashivault.approle_auth(**kwargs)
+    assert res == expected_res
+
+
+def test_hashivault_kubernetes_auth():
+    kwargs = {
+      'kubernetes_role': 'the_kubernetes_role',
+    }
+    expected_res = {
+        'role': 'the_kubernetes_role',
+        'jwt': 'the_jwt',
+    }
+    with mock.patch('pathlib.Path') as path_mock:
+        mock.mock_open(path_mock.return_value.open, read_data='the_jwt')
+        res = hashivault.kubernetes_auth(**kwargs)
+        path_mock.assert_called_with('/var/run/secrets/kubernetes.io/serviceaccount/token')
+        assert res == expected_res
+
+
+def test_hashivault_handle_auth_token():
+    kwargs = {
+      'token': 'the_token',
+    }
+    token = hashivault.handle_auth(**kwargs)
+    assert token == kwargs['token']
+
+
+def test_hashivault_handle_auth_approle():
+    kwargs = {
+        'role_id': 'the_role_id',
+        'secret_id': 'the_secret_id',
+    }
+    with mock.patch.object(hashivault, 'method_auth') as method_mock:
+        method_mock.return_value = 'the_token'
+        token = hashivault.handle_auth(**kwargs)
+        method_mock.assert_called_with(**kwargs, auth_param=kwargs)
+        assert token == 'the_token'
+
+
+def test_hashivault_handle_auth_kubernetes():
+    kwargs = {
+        'kubernetes_role': 'the_kubernetes_role',
+    }
+    with mock.patch.object(hashivault, 'method_auth') as method_mock:
+        with mock.patch('pathlib.Path') as path_mock:
+            mock.mock_open(path_mock.return_value.open, read_data='the_jwt')
+            method_mock.return_value = 'the_token'
+            token = hashivault.handle_auth(**kwargs)
+            method_mock.assert_called_with(**kwargs, auth_param={'role': 'the_kubernetes_role', 'jwt': 'the_jwt'})
+            assert token == 'the_token'
+
+
+def test_hashivault_handle_auth_not_enough_args():
+    with pytest.raises(Exception):
+        hashivault.handle_auth()