Introduction

Event-Driven Ansible in AAP 2.6 adds support for external secret management systems, with HashiCorp Vault being a key integration. This guide shows you how to configure Vault with EDA for secure, enterprise-grade event-driven automation.

Why External Secrets for EDA?

Storing secrets directly in rulebooks or EDA configurations creates risk:

  • Secrets are visible in version control
  • Rotation requires configuration changes
  • Audit trails are incomplete
  • Compliance requirements may be violated

External secret management addresses all of these concerns.

Prerequisites

  • AAP 2.6 installed and operational
  • HashiCorp Vault server (v1.12+) accessible from EDA
  • Vault admin access to create policies and secrets
  • Basic familiarity with EDA rulebooks

Step 1: Configure Vault

Create a Secret Engine

``bash

Enable a KV secrets engine for EDA

vault secrets enable -path=eda kv-v2

`

Store Secrets

`bash

Store webhook tokens

vault kv put eda/webhook token=my-secure-webhook-token

Store API keys

vault kv put eda/integrations \

pagerduty_key=pd-api-key-12345 \

slack_webhook=https://hooks.slack.com/services/xxx

`

Create a Policy

`hcl

eda-policy.hcl

path "eda/data/*" {

capabilities = ["read", "list"]

}

`

`bash

vault policy write eda-reader eda-policy.hcl

`

Step 2: Configure EDA Authentication

AppRole Authentication (Recommended)

`bash

Enable AppRole

vault auth enable approle

Create role for EDA

vault write auth/approle/role/eda \

token_policies="eda-reader" \

token_ttl=1h \

token_max_ttl=4h

`

Step 3: Configure EDA Credentials

In the AAP 2.6 UI:

1. Navigate to Event-Driven Ansible → Credentials

2. Create a new credential of type HashiCorp Vault

3. Enter your Vault URL, authentication method, and credentials

Step 4: Use Vault Secrets in Rulebooks

`yaml

---

  • name: Webhook handler with Vault secrets

hosts: all

sources:

- ansible.eda.webhook:

host: 0.0.0.0

port: 5000

token: "{{ vault_lookup('eda/webhook', 'token') }}"

rules:

- name: Handle incoming webhook

condition: event.payload.status == "critical"

action:

run_job_template:

name: "Remediate Issue"

organization: "IT Ops"

``

Best Practices

1. Use AppRole — More secure than token-based auth for automated systems

2. Short TTLs — Keep token lifetimes short and enable renewal

3. Separate paths — Use dedicated Vault paths for EDA vs other systems

4. Audit logging — Enable Vault audit logging to track secret access

5. Rotation — Implement regular secret rotation schedules

Conclusion

HashiCorp Vault integration brings enterprise-grade secret management to Event-Driven Ansible. This is a critical capability for organizations with strict security and compliance requirements.

For more Ansible tutorials and guides, explore the [complete article collection](/articles) on Ansible Pilot.