AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Integrating HashiCorp Vault with Event-Driven Ansible in AAP 2.6

By Luca Berton · Published 2024-01-01 · Category: installation

Step-by-step guide to integrating HashiCorp Vault for external secret management with Event-Driven Ansible in AAP 2.6.

Integrating HashiCorp Vault with Event-Driven Ansible in AAP 2.6

Introduction

Event-Driven Ansible in AAP 2.6 adds support for external secret management systems, with HashiCorp Vault being a key integration. This guide shows you how to configure Vault with EDA for secure, enterprise-grade event-driven automation.

See also: Event-Driven Ansible Enhancements in AAP 2.6 — What's New

Why External Secrets for EDA?

Storing secrets directly in rulebooks or EDA configurations creates risk: • Secrets are visible in version control • Rotation requires configuration changes • Audit trails are incomplete • Compliance requirements may be violated

External secret management addresses all of these concerns.

Prerequisites

• AAP 2.6 installed and operational • HashiCorp Vault server (v1.12+) accessible from EDA • Vault admin access to create policies and secrets • Basic familiarity with EDA rulebooks

See also: Enhanced Kafka Integration for Event-Driven Ansible in AAP 2.6

Step 1: Configure Vault

Create a Secret Engine

# Enable a KV secrets engine for EDA
vault secrets enable -path=eda kv-v2

Store Secrets

# Store webhook tokens
vault kv put eda/webhook token=my-secure-webhook-token

# Store API keys
vault kv put eda/integrations \
  pagerduty_key=pd-api-key-12345 \
  slack_webhook=https://hooks.slack.com/services/xxx

Create a Policy

# eda-policy.hcl
path "eda/data/*" {
  capabilities = ["read", "list"]
}
vault policy write eda-reader eda-policy.hcl

Step 2: Configure EDA Authentication

AppRole Authentication (Recommended)

# Enable AppRole
vault auth enable approle

# Create role for EDA
vault write auth/approle/role/eda \
  token_policies="eda-reader" \
  token_ttl=1h \
  token_max_ttl=4h

See also: AAP 2.6 Credential Management: Vaults, External Secrets, and Machine Credentials

Step 3: Configure EDA Credentials

In the AAP 2.6 UI: Navigate to Event-Driven Ansible → Credentials Create a new credential of type HashiCorp Vault Enter your Vault URL, authentication method, and credentials

Step 4: Use Vault Secrets in Rulebooks

---
- name: Webhook handler with Vault secrets
  hosts: all
  sources:
    - ansible.eda.webhook:
        host: 0.0.0.0
        port: 5000
        token: "{{ vault_lookup('eda/webhook', 'token') }}"

rules:
    - name: Handle incoming webhook
      condition: event.payload.status == "critical"
      action:
        run_job_template:
          name: "Remediate Issue"
          organization: "IT Ops"

Best Practices

Use AppRole — More secure than token-based auth for automated systems Short TTLs — Keep token lifetimes short and enable renewal Separate paths — Use dedicated Vault paths for EDA vs other systems Audit logging — Enable Vault audit logging to track secret access Rotation — Implement regular secret rotation schedules

Conclusion

HashiCorp Vault integration brings enterprise-grade secret management to Event-Driven Ansible. This is a critical capability for organizations with strict security and compliance requirements.

For more Ansible tutorials and guides, explore the complete article collection on Ansible Pilot.

Related Articles

using Ansible Vault for secretsrendering files with Ansible templatehandler best practices in Ansible

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home