Integrating Vault with Ansible Playbooks

Integrating HashiCorp Vault with Ansible playbooks allows you to securely manage and retrieve secrets needed during your automation workflows. Vault provides a central repository for storing sensitive information such as passwords, API keys, and certificates. In this tutorial, we will explore how to integrate Vault with Ansible playbooks.

Why Integrate Vault with Ansible?

Integrating Vault with Ansible offers several benefits:

  • Secure Secrets Management: Vault encrypts and stores secrets, ensuring they are protected at rest and only accessible by authorized users.
  • Dynamic Secrets: Vault can generate dynamic secrets on-demand, reducing the risk of credentials being compromised or leaked.
  • Centralized Secret Storage: Vault acts as a central repository for secrets, eliminating the need to hardcode sensitive information in Ansible playbooks.

Let's take a look at a couple of examples to understand how to integrate Vault with Ansible playbooks.

Example 1: Retrieving a Secret from Vault

To retrieve a secret from Vault, you can use the Ansible lookup plugin in your playbook. For example:

- name: Retrieve API key from Vault
  hosts: localhost
    - name: Get secret from Vault
        msg: "{{ lookup('hashi_vault', 'secret=secret/myapp/api_key') }}"

In this example, the lookup plugin retrieves the API key from the secret path secret/myapp/api_key in Vault. The retrieved value is then printed using the debug module.

Example 2: Authenticating with Vault

Prior to retrieving secrets from Vault, you need to authenticate with Vault using the appropriate authentication method. Here's an example of authenticating with Vault using the approle authentication method:

- name: Authenticate with Vault
  hosts: localhost
    - name: Login to Vault
        approle_id: "myapp-role-id"
        approle_secret: "myapp-secret-id"
      register: vault_login_result
Copy code
- name: Print Vault token
    msg: "Vault token: {{ vault_login_result['auth']['client_token'] }}"

In this example, the hashivault_login module is used to authenticate with Vault using the approle authentication method. The role ID and secret ID are provided as parameters. The resulting Vault token is stored in the vault_login_result variable and can be used for subsequent requests.

Steps to Integrate Vault with Ansible Playbooks

Here are the detailed steps to integrate Vault with Ansible playbooks:

1. Install Required Ansible Plugins

Ensure you have the necessary Ansible plugins installed for Vault integration. Install the community.hashivault collection using the following command:

$ ansible-galaxy collection install community.hashivault

2. Authenticate with Vault

Choose an appropriate authentication method for Vault, such as approle or token. Authenticate with Vault using the corresponding Ansible module, providing the necessary authentication credentials.

3. Retrieve Secrets from Vault

Use the lookup plugin or the appropriate Ansible module to retrieve secrets from Vault. Specify the secret path and any additional parameters required.

4. Use Secrets in Playbook Tasks

Access the retrieved secrets and use them in your playbook tasks as needed. The secrets can be referenced using Ansible variables.

Common Mistakes with Vault Integration

  • Using insecure authentication methods or weak credentials for Vault access.
  • Storing Vault tokens or secrets in plain text or insecure locations.
  • Not properly configuring access controls and permissions for Vault resources.
  • Leaving debug statements or sensitive information in Ansible log files.
  • Not following best practices for securing the Ansible control machine and Vault server.

FAQs about Integrating Vault with Ansible

  1. Q: Can I use multiple Vault servers in my Ansible playbook?

    A: Yes, you can define multiple Vault servers by configuring different hashivault connection variables in your inventory or Ansible configuration.

  2. Q: How can I handle Vault authentication securely in my CI/CD pipelines?

    A: It is recommended to use Vault's AppRole authentication method with securely managed role IDs and secret IDs. Avoid hardcoding these credentials in the pipeline configuration and utilize secure secret management solutions.

  3. Q: Can I use Vault with Ansible Tower?

    A: Yes, Ansible Tower supports integrating with Vault to securely manage secrets. You can configure Ansible Tower to authenticate with Vault and retrieve secrets during playbook execution.


Integrating HashiCorp Vault with Ansible playbooks allows for secure and centralized management of secrets. By retrieving secrets dynamically from Vault during playbook execution, you can eliminate the need for hardcoding sensitive information and ensure that secrets remain protected. Follow best practices for authentication, access control, and secure handling of credentials to maintain the integrity and confidentiality of your secrets. With the integration of Vault and Ansible, you can enhance the security of your automation workflows and effectively manage sensitive information.