AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible AAP as OIDC Authentication Provider for HashiCorp Vault: Zero Trust Workflow

By Luca Berton · Published 2024-01-01 · Category: events

Configure AAP as an OIDC provider for HashiCorp Vault with JWT authentication, short-lived tokens, and zero trust automation.

Starting with AAP 2.7, Ansible Automation Platform acts as an OIDC authentication provider for HashiCorp Vault. This eliminates long-lived static tokens and enables zero trust credential management with short-lived, scoped access.

5-Step OIDC Workflow

  User requires elevated
  secret to run automation      ②  AAP JWT token authenticates
  against Vault-secured    ────────────── via OIDC ──────────────►
  infrastructure                                                  ┌──────────┐
       │                   ③  Vault returns short-lived           │HashiCorp │
       │              ◄──────── token for secret retrieval ───────│  Vault   │
  ┌────▼────┐                                                     └──────────┘
  │   AAP   │          ④  AAP retrieves the elevated secret
  │         │────────────────────────────────────────────────────►
  └────┬────┘
       │
       │          ⑤  Run automation with the secret
       ▼
  ┌─────────────────────────────────┐
  │  Vault-secured infrastructure   │
  │  (VMs, physical servers,        │
  │   containers, network/edge)     │
  └─────────────────────────────────┘

Step 1: User Requests Elevated Access

A user or automation job requires a secret (database password, API key, certificate) to run against Vault-secured infrastructure.

Step 2: AAP JWT Authenticates via OIDC

AAP issues a JSON Web Token (JWT) and authenticates to Vault using OIDC. The JWT contains claims about: • Who is requesting (user/job identity) • What organization/team they belong to • What scope of access is needed

Step 3: Vault Returns Short-Lived Token

Vault validates the JWT against AAP's OIDC discovery endpoint, verifies the claims, and returns a short-lived token scoped to only the requested secrets.

Step 4: AAP Retrieves the Secret

Using the short-lived Vault token, AAP retrieves the elevated secret. The token expires after use — no long-lived credentials are stored.

Step 5: Run Automation

AAP executes the automation with the retrieved secret against the target infrastructure. The secret is never persisted and is discarded after job completion.

See also: Ansible Automation Platform and HashiCorp Vault: End-to-End Trusted Automation (Integration Guide)

Configuration

AAP Side: Enable OIDC Identity Issuer

AAP UI → Settings → Authentication → OIDC
  Issuer URL: https://aap.example.com
  Client ID: vault-integration
  Signing algorithm: RS256

AAP exposes the standard OIDC endpoints: • /.well-known/openid-configuration/oauth2/jwks/oauth2/token

Vault Side: Configure JWT Auth

# Enable JWT auth method
vault auth enable jwt

# Configure AAP as the OIDC provider
vault write auth/jwt/config \
  oidc_discovery_url="https://aap.example.com/.well-known/openid-configuration" \
  bound_issuer="https://aap.example.com"


# Create a role for AAP jobs
vault write auth/jwt/role/aap-automation \
  role_type="jwt" \
  bound_audiences="vault" \
  user_claim="sub" \
  bound_claims_type="glob" \
  bound_claims='{"organization":"*"}' \
  policies="automation-secrets" \
  ttl="15m" \
  max_ttl="1h"

Vault Policy

# automation-secrets policy
path "secret/data/automation/*" {
  capabilities = ["read"]
}

path "database/creds/app-*" {
  capabilities = ["read"]
}


path "pki/issue/automation" {
  capabilities = ["create", "update"]
}

Playbook Using OIDC-Based Vault Access

---
- name: Deploy app with Vault-managed secrets
  hosts: app_servers
  tasks:
    - name: Retrieve database credentials from Vault
      community.hashi_vault.vault_read:
        url: "https://vault.example.com"
        path: "database/creds/app-readonly"
        auth_method: jwt
        jwt: "{{ ansible_oidc_token }}"
        role_id: "aap-automation"
      register: db_creds
      no_log: true

- name: Deploy application configuration
      ansible.builtin.template:
        src: app-config.j2
        dest: /opt/app/config.yml
        owner: app
        group: app
        mode: '0600'
      vars:
        db_host: "{{ db_creds.data.hostname }}"
        db_username: "{{ db_creds.data.username }}"
        db_password: "{{ db_creds.data.password }}"
      no_log: true


- name: Restart application
      ansible.builtin.systemd:
        name: myapp
        state: restarted

See also: Ansible OIDC Integration with HashiCorp Vault: Zero Trust Credential Management (Complete Guide)

Zero Trust Architecture (ZTA) Features

AAP's OIDC provider implementation includes three key ZTA capabilities:

| Feature | Reference | Description | |---|---|---| | AAP as Identity Issuer (Outbound) | ANSTRAT-1019 | AAP issues JWT tokens that external systems (Vault) can verify | | Premier Partner Implementation | ANSTRAT-1558 | Deep integration with HashiCorp Vault as premier partner | | External Authorization (Inbound) | ANSTRAT-1611 | AAP can validate external tokens for inbound authentication |

Benefits Over Static Credentials

| Static Tokens | OIDC/JWT | |---|---| | Long-lived, stored in AAP | Short-lived, generated per job | | Leaked token = persistent access | Leaked token expires in minutes | | Manual rotation required | Automatic per-execution | | Same token for all jobs | Scoped claims per job/user | | No audit trail for token usage | JWT claims trace back to user/job |

See also: HashiCorp Vault Integration with Ansible Automation Platform: Credential Management at Scale

Vault-Secured Infrastructure

The OIDC workflow secures automation across: • Application servers — VMs and physical servers • Container orchestration platforms — Kubernetes, OpenShift • Network devices — Switches, routers, firewalls (less common) • Edge devices — IoT and edge compute

FAQ

Does this replace Ansible Vault (file encryption)?

No. AAP as OIDC provider is for integrating with HashiCorp Vault (external secrets management). Ansible Vault (file encryption) remains available for encrypting playbook variables.

What AAP versions support OIDC for Vault?

AAP 2.7+ (GA June 3, 2026) introduces AAP as an OIDC authentication provider. Earlier versions can still integrate with Vault using static tokens or approle auth.

Can I use this with Vault namespaces?

Yes. Add the namespace to the Vault URL or JWT claims. Vault Enterprise namespaces work with the JWT auth method.

How short-lived are the tokens?

Configurable via the Vault role — the slide example shows 15-minute TTL with 1-hour max. Tokens can be as short as needed.

Does this work with HCP Vault Dedicated?

Yes. Configure the HCP Vault endpoint as the Vault URL. The OIDC/JWT flow is the same for self-hosted and HCP Vault.

Related Articles

Ansible Automation Platform HashiCorp Vault IntegrationRed Hat Ansible Automation Platform 2.7: What's NewAnsible Vault Complete GuideRed Hat Summit 2026 Highlights

Category: events

Browse all Ansible tutorials · AnsiblePilot Home