The Red Hat Ecosystem Catalog is the official source for discovering and learning more about the Red Hat Ecosystem of both Red Hat and certified third-party products and services.
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

22Modules15Plugins1Dependency
An Ansible Collection for managing HashiCorp Vault.
This repository contains the hashicorp.vault Ansible Collection.
The primary purpose of this collection is to provide seamless integration between Ansible Automation Platform and HashiCorp Vault. It contains modules and plugins that support managing secrets, namespaces, authentication, and other Vault operations by using Ansible automation.
Some modules and plugins require external libraries. Please check the requirements for each plugin or module you use in the documentation to find out which requirements are needed.
Tested with the Ansible Core >= 2.16.0 versions.
Tested with the Python >= 3.10 versions.
| Name | Description |
|---|---|
| hashicorp.vault.kv1_secret_get | Look up KV1 secrets stored in HashiCorp Vault |
| hashicorp.vault.kv2_secret_get | Look up KV2 secrets stored in HashiCorp Vault |
| Name | Description |
|---|---|
| hashicorp.vault.acl_policy | Manage HashiCorp Vault ACL policies |
| hashicorp.vault.acl_policy_info | List and read HashiCorp Vault ACL policies |
| hashicorp.vault.auth_login | Authenticate to HashiCorp Vault |
| hashicorp.vault.auth_token | Manage HashiCorp Vault tokens |
| hashicorp.vault.auth_token_info | Retrieve information about a specific HashiCorp Vault token |
| Name | Description |
|---|---|
| hashicorp.vault.database_connection | Manage database secrets engine connections in HashiCorp Vault |
| hashicorp.vault.database_connection_info | List available connections or read configuration for a specific connection |
| hashicorp.vault.database_credential_rotation | Rotate database credentials in HashiCorp Vault |
| hashicorp.vault.database_dynamic_role_credentials | Generate credentials for a database dynamic role |
| hashicorp.vault.database_role | Manage HashiCorp Vault database dynamic roles |
| hashicorp.vault.database_role_info | List available dynamic roles or read configuration for a specific role |
| hashicorp.vault.database_static_role | Manage database static roles in HashiCorp Vault |
| hashicorp.vault.database_static_role_credentials | Read the credentials for a specific static role |
| hashicorp.vault.database_static_role_info | List available static roles or read the configuration for a specific static role |
| Name | Description |
|---|---|
| hashicorp.vault.kv1_secret | Manage HashiCorp Vault KV version 1 secrets |
| hashicorp.vault.kv1_secret_info | Read HashiCorp Vault KV version 1 secrets |
| hashicorp.vault.kv2_secret | Manage HashiCorp Vault KV version 2 secrets |
| hashicorp.vault.kv2_secret_info | Read HashiCorp Vault KV version 2 secrets |
| Name | Description |
|---|---|
| hashicorp.vault.pki_certificate | Issue, sign, or revoke HashiCorp Vault PKI certificates |
| hashicorp.vault.pki_certificate_info | List and read HashiCorp Vault PKI certificates |
| Name | Description |
|---|---|
| hashicorp.vault.vault_namespace | Manage HashiCorp Vault Enterprise namespaces |
| hashicorp.vault.vault_namespace_info | List and read HashiCorp Vault Enterprise namespaces |
To install this collection from Automation Hub, the following needs to be added to ansible.cfg:
[galaxy]
server_list=automation_hub
[galaxy_server.automation_hub]
url=https://console.redhat.com/api/automation-hub/content/published/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
token=<SuperSecretToken>
To download contents from Automation Hub using ansible-galaxy CLI, you would need to generate and use an offline token.
If you already have a token, please ensure that it has not expired. Visit Connect to Hub to obtain the necessary token.
With this configured and Ansible Galaxy command-line tool installed, run the following command:
ansible-galaxy collection install hashicorp.vault
You can also include it in a requirements.yml file and install it via ansible-galaxy collection install -r requirements.yml using the format:
collections:
- name: hashicorp.vault
To upgrade the collection to the latest available version, run the following command:
ansible-galaxy collection install hashicorp.vault --upgrade
You can also install a specific version of the collection, for example, if you need to downgrade when something is broken in the latest version (please report an issue in this repository). Use the following syntax where X.Y.Z can be any available version:
ansible-galaxy collection install hashicorp.vault:==X.Y.Z
See Ansible Using Collections for more details.
Modules in this collection can be used for various operations on HashiCorp Vault. Currently the collection supports: - Managing KV1 and KV2 secrets in HashiCorp Vault (create, read, update, delete) - Managing ACL policies in HashiCorp Vault - Authentication and token management - Managing database secrets engine connections, dynamic roles, and static roles - Generating credentials for database dynamic and static roles - Rotating database credentials - Managing PKI certificates (issue, sign, revoke, read) - Managing Vault Enterprise namespaces
The collection supports environment variables for common connection and authentication parameters. This allows you to configure site-wide defaults and reduce repetition in playbooks.
The following environment variables are supported across all modules and plugins:
| Environment Variable | Parameter | Description | Default |
|---|---|---|---|
VAULT_ADDR | url | Vault server URL | (required) |
VAULT_TOKEN | token | Authentication token | None |
VAULT_NAMESPACE | namespace | Vault namespace | "admin" |
VAULT_AUTH_METHOD | auth_method | Authentication method (token/approle) | "token" |
VAULT_APPROLE_ROLE_ID | role_id | AppRole role ID | None |
VAULT_APPROLE_SECRET_ID | secret_id | AppRole secret ID | None |
VAULT_APPROLE_PATH | vault_approle_path | AppRole mount path | "approle" |
VAULT_CACERT | ca_cert | CA certificate path | None |
VAULT_SKIP_VERIFY | tls_skip_verify | Skip TLS verification | false |
VAULT_PROXIES | proxies | Proxy configuration | None |
VAULT_TIMEOUT | timeout | Request timeout (seconds) | None |
VAULT_RETRIES | retries | Retry configuration | None |
The following environment variable is supported by KV and PKI modules/plugins only:
| Environment Variable | Parameter | Description | Default |
|---|---|---|---|
VAULT_ENGINE_MOUNT_POINT | engine_mount_point | Secrets engine mount point | "secret" (KV), "pki" (PKI) |
Note:
VAULT_ENGINE_MOUNT_POINTis shared by KV and PKI modules/lookups, but each module type has a different default mount path (secretvspki). Setting this variable globally works only when all tasks target the same engine mount. For playbooks that mix KV and PKI operations, setengine_mount_point(orsecret_mount_path) on individual tasks instead of using a single global environment variable.
When both environment variables and module/plugin parameters are provided, explicit parameters take precedence:
# Set environment variables once
environment:
VAULT_ADDR: "https://vault.example.com:8200"
VAULT_TOKEN: "{{ vault_token }}"
VAULT_NAMESPACE: "admin"
VAULT_AUTH_METHOD: "token"
VAULT_ENGINE_MOUNT_POINT: "secret"
# Use lookup with minimal parameters
- name: Read secret
ansible.builtin.debug:
msg: "{{ lookup('hashicorp.vault.kv2_secret_get', secret='myapp/config') }}"
GitHub Actions workflows run tests for this collection. The CI uses a two-tier approach:
Linters:
pip install -r requirements-linters.txt
tox -e linters
Unit Tests:
pip install -r test-requirements.txt
pytest tests/unit/
Integration Tests:
Integration tests require a Vault instance.
Copy the integration config template and fill in your Vault details:
cp tests/integration/integration_config.yml.template tests/integration/integration_config.yml
Add your Vault details:
vault_url_from_int_config: "<VAULT_URL_HERE>"
vault_namespace_from_int_config: "<VAULT_NAMESPACE_HERE>" # example: admin/hashicorp-vault-integration-tests
vault_approle_role_id_from_int_config: "<VAULT_APPROLE_ROLE_ID_HERE>"
vault_approle_secret_id_from_int_config: "<VAULT_APPROLE_SECRET_ID_HERE>"
Run the tests:
ansible-test integration <target>
Using a Local Vault Instance:
You can test changes using a local instance of HashiCorp Vault.
Follow this guide to start a local development server: https://developer.hashicorp.com/vault/tutorials/get-started/setup
Prerequisites:
For running the integration tests locally, you need to:
role_id and secret_iddefaults/main.yml in your integration tests with the required values:# Example values only — replace with real credentials
vault_url: "http://localhost:8200"
vault_namespace: "admin"
vault_approle_role_id: "xxxxxxxx-60da-6224-d270-xxxxxxxx"
vault_approle_secret_id: "xxxxxxxx-2458-14b9-b643-xxxxxxxx"
vault_resource_suffix: ansible-test
As Red Hat Ansible Certified Content, this collection is entitled to support through the Ansible Automation Platform (AAP) using the Create issue button on the top right corner. If a support case cannot be opened with Red Hat and the collection has been obtained either from Galaxy or GitHub, there may be community help available on the Ansible Forum.
See the changelog.
GNU General Public License v3.0 or later.
See LICENSE to see the full text.
| Product |
|---|
| 2.6 |
| 2.7 |
This collection requires the following collections for use:
utils Ansible Collection with utilities to ease the management, manipulation, and validation of data within a playbook |
This collection is not being used by other collections.