diff --git a/CHANGELOG.md b/CHANGELOG.md
index 47e3f225..2f54674b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@ Canonical reference for changes, improvements, and bugfixes for the Boundary Ter
 
 ## Next
 
+### New and Improved
+* Add support for credential store vault worker filters ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/375))
+
 ### Bug Fix
 * Allow users to set OIDC maxAge value to 0 to require immediate reauth ([PR](https://github.com/hashicorp/terraform-provider-boundary/pull/364))
 
diff --git a/internal/provider/resource_credential_store_vault.go b/internal/provider/resource_credential_store_vault.go
index 874bf261..eb47dfb0 100644
--- a/internal/provider/resource_credential_store_vault.go
+++ b/internal/provider/resource_credential_store_vault.go
@@ -26,6 +26,7 @@ const (
 	credentialStoreVaultClientCertificateKeyKey     = "client_certificate_key"
 	credentialStoreVaultClientCertificateKeyHmacKey = "client_certificate_key_hmac"
 	credentialStoreType                             = "vault"
+	credentialStoreVaultWorkerFilterKey             = "worker_filter"
 )
 
 var storeVaultAttrs = []string{
@@ -123,6 +124,11 @@ func resourceCredentialStoreVault() *schema.Resource {
 				Type:        schema.TypeString,
 				Computed:    true,
 			},
+			credentialStoreVaultWorkerFilterKey: {
+				Description: "HCP Only. A filter used to control which PKI workers can handle Vault requests. This allows the use of private Vault instances with Boundary.",
+				Type:        schema.TypeString,
+				Optional:    true,
+			},
 		},
 	}
 }
@@ -137,6 +143,9 @@ func setFromVaultCredentialStoreResponseMap(d *schema.ResourceData, raw map[stri
 	if err := d.Set(ScopeIdKey, raw[ScopeIdKey]); err != nil {
 		return diag.FromErr(err)
 	}
+	if err := d.Set(credentialStoreVaultWorkerFilterKey, raw[credentialStoreVaultWorkerFilterKey]); err != nil {
+		return diag.FromErr(err)
+	}
 
 	var diags diag.Diagnostics
 	csId := raw["id"]
@@ -228,6 +237,9 @@ func resourceCredentialStoreVaultCreate(ctx context.Context, d *schema.ResourceD
 	if v, ok := d.GetOk(credentialStoreVaultTokenKey); ok {
 		opts = append(opts, credentialstores.WithVaultCredentialStoreToken(v.(string)))
 	}
+	if v, ok := d.GetOk(credentialStoreVaultWorkerFilterKey); ok {
+		opts = append(opts, credentialstores.WithVaultCredentialStoreWorkerFilter(v.(string)))
+	}
 
 	var scope string
 	gotScope, ok := d.GetOk(ScopeIdKey)
@@ -359,6 +371,14 @@ func resourceCredentialStoreVaultUpdate(ctx context.Context, d *schema.ResourceD
 		}
 	}
 
+	if d.HasChange(credentialStoreVaultWorkerFilterKey) {
+		opts = append(opts, credentialstores.DefaultVaultCredentialStoreWorkerFilter())
+		v, ok := d.GetOk(credentialStoreVaultWorkerFilterKey)
+		if ok {
+			opts = append(opts, credentialstores.WithVaultCredentialStoreWorkerFilter(v.(string)))
+		}
+	}
+
 	if len(opts) > 0 {
 		opts = append(opts, credentialstores.WithAutomaticVersioning(true))
 		crUpdate, err := client.Update(ctx, d.Id(), 0, opts...)