diff --git a/ci/vlt b/ci/vlt
index 0f3d423..19718e4 100755
--- a/ci/vlt
+++ b/ci/vlt
@@ -13,6 +13,7 @@ login() {
   : "${VAULT_SECRET_ID:?missing VAULT_SECRET_ID}"
   log "login approle"
   resp="$(curl -sfS -X POST -H 'Content-Type: application/json' \
+    --connect-timeout 5 --max-time 20 \
     -d "{\"role_id\":\"${VAULT_ROLE_ID}\",\"secret_id\":\"${VAULT_SECRET_ID}\"}" \
     "${VAULT_ADDR%/}/v1/auth/approle/login")"
   token="$(printf '%s' "$resp" | sed -n 's/.*"client_token"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')"
@@ -34,7 +35,7 @@ kv_get() {
   mount="$1"; path="$2"; field="$3"
   ensure_token
   url="${VAULT_ADDR%/}/v1/${mount}/data/${path}"
-  resp="$(curl -sfS -H "X-Vault-Token: ${VAULT_TOKEN}" "$url")"
+  resp="$(curl -sfS --connect-timeout 5 --max-time 20 -H "X-Vault-Token: ${VAULT_TOKEN}" "$url")"
   raw="$(printf '%s' "$resp" | sed -n "s/.*\"${field}\"[[:space:]]*:[[:space:]]*\"\([^\"]*\)\".*/\1/p")"
   [ -n "$raw" ] || { echo "field not found: ${mount}/${path}:${field}" >&2; exit 2; }
   printf '%s' "$raw" | sed -e 's/\\n/\n/g' -e 's/\\t/\t/g' -e 's/\\"/"/g' -e 's/\\\\/\\/g'