diff --git a/website/content/docs/concepts/domain-model/credential-stores.mdx b/website/content/docs/concepts/domain-model/credential-stores.mdx
index dedcd8c70a..d15bc95482 100644
--- a/website/content/docs/concepts/domain-model/credential-stores.mdx
+++ b/website/content/docs/concepts/domain-model/credential-stores.mdx
@@ -58,6 +58,14 @@ A Vault credential store has the following additional attributes:
 - `namespace` - (optional)
   A Vault [namespace][]. Requires Vault Enterprise.
 
+- `worker_filter` <sup>HCP Only</sup> - (optional)
+  A [filter] used to control which [PKI workers] can handle Vault requests.
+  This allows the use of private Vault instances with Boundary. PKI workers
+  deployed in the same network as a private Vault instance can access and relay
+  Vault requests to Boundary controllers.
+  ~> **Note:** A PKI worker that matches the worker filter must exist before defining the Vault credential store, as it
+  will perform the Vault calls needed to set up the credential store with Boundary.
+
 ### Static Credential Store Attributes
 
 A static credential store has no type-specific attributes.
@@ -161,6 +169,10 @@ $ curl https://boundaryproject.io/data/vault/boundary-controller-policy.hcl -O -
 $ vault policy write boundary-controller boundary-controller-policy.hcl
 ```
 
+### Static Credential Store
+
+A static credential store allows user-supplied credentials to be managed by Boundary. Credentials are encrypted and stored directly in Boundary. Currently, the static credential store can hold credentials of type `username_password`.
+
 [token_requirements]: /docs/concepts/domain-model/credential-stores#vault-token-requirements
 [token_policy]: /docs/concepts/domain-model/credential-stores#vault-boundary-controller-policy
 [vault]: https://www.vaultproject.io
@@ -168,7 +180,5 @@ $ vault policy write boundary-controller boundary-controller-policy.hcl
 [renewable]: https://www.vaultproject.io/api-docs/auth/token#renewable-1
 [periodic]: https://www.vaultproject.io/api-docs/auth/token#token_period
 [orphan]: https://www.vaultproject.io/api-docs/auth/token#orphan
-
-### Static Credential Store
-
-A Static credential store allows for a user-supplied credentials managed by Boundary. Credentials are encrypted and stored directly in Boundary. Currently, the static credential store can hold credentials of type `username_password`.
+[PKI workers]: /docs/configuration/worker/pki-worker
+[filter]: /docs/concepts/filtering/worker-tags
diff --git a/website/content/docs/concepts/filtering/worker-tags.mdx b/website/content/docs/concepts/filtering/worker-tags.mdx
index 88266019db..2af2cd4874 100644
--- a/website/content/docs/concepts/filtering/worker-tags.mdx
+++ b/website/content/docs/concepts/filtering/worker-tags.mdx
@@ -2,11 +2,11 @@
 layout: docs
 page_title: Filtering - Worker Tags
 description: |-
-  How to use worker tags to control which workers can handle a given target.
+  How to use worker tags to control which workers can handle a given resource.
 ---
 
 This page describes how to use worker tags and filters to control which workers
-are allowed to handle a given target. This can be used to control traffic
+are allowed to handle a given resource. This can be used to control traffic
 locality. As an example, this can be used to ensure that traffic going into a
 public cloud is only handled by workers running within that same cloud.
 
@@ -100,11 +100,7 @@ array with the tags intended for the particular key is required:
 ["prod", "webservers"]
 ```
 
-# Target Worker Filtering
-
-Once workers have tags, it is possible to use these tags to control which
-workers are allowed to handle a given session by specifying a `worker_filter`
-attribute when configuring [targets](/docs/concepts/domain-model/targets).
+# Worker Filtering
 
 As filters operate on JSON Pointer selectors, the values that are input into the
 filter come from the JSON representation of the values in the configuration file
@@ -137,3 +133,24 @@ Following are some examples of using these values in filters:
   know that you have only one value, an equivalent would be `"/tags/region/0" == "us-east-1"`.
 
 - Grouping: `("us-east-1" in "/tags/region" and "/name" == "web-prod-us-east-1") or "webservers" in "/tags/type"`
+
+# Target Worker Filtering
+
+Once workers have tags, these tags may be used to control which
+workers are allowed to manage a given session by specifying a `worker_filter`
+attribute when configuring [targets](/docs/concepts/domain-model/targets).
+
+
+# Vault Worker Filtering <sup>HCP Only</sup>
+Tags are used to control which [PKI workers] can manage Vault requests by specifying
+a `worker_filter`attribute when configuring [credential stores].
+
+This allows the use of private Vault instances with Boundary. PKI workers
+deployed in the same network as a private Vault instance can access and relay
+Vault requests to Boundary controllers.
+
+ ~> **Note:** A PKI worker that matches the worker filter must exist before defining the Vault credential store, as it
+ will perform the Vault calls needed to set up the credential store with Boundary.
+
+[PKI workers]: /docs/configuration/worker/pki-worker
+[credential stores]: /docs/concepts/domain-model/credential-stores#vault-credential-store-attributes