Ansible Automation Platform and HashiCorp Vault: End-to-End Trusted Automation (Integration Guide)
By Luca Berton · Published 2024-01-01 · Category: installation
Integrate Ansible Automation Platform with HashiCorp Vault for end-to-end trusted automation across hybrid cloud environments.
Red Hat Ansible Automation Platform and HashiCorp Vault together deliver end-to-end trusted automation — combining hybrid cloud automation with comprehensive secrets management across all infrastructure domains.
The Partnership
| Component | Role | |---|---| | Red Hat Ansible Automation Platform | Hybrid cloud automation — automate systems, services, and workflows | | HashiCorp Vault | Protect secrets and data — identity-based security and centralized access | | Combined | End-to-end trusted automation — secure automation solution |
See also: Ansible AAP as OIDC Authentication Provider for HashiCorp Vault: Zero Trust Workflow
What Each Platform Brings
Ansible Automation Platform
• Automate systems and services — Maximize efficiency, improve compliance, and deliver consistent, reliable mission-critical automation • Achieve business outcomes — Scale automation across domains, orchestrate essential workflows, and optimize IT operations for enterprise AI adoption • Consistent across hybrid cloud — Delivering consistent, reliable, and compliant performance across use cases, domains, and environmentsHashiCorp Vault
• Identity-based security — Access to secrets and sensitive data through trusted identities that broker connections between applications and users • Identity Access Management (IAM) — Enforce that people and machines are who they say they are, and only get access to what they need • Single centralized record — System of record for centrally storing secrets and managing credential lifecycleCombined Value
• Secure automation — Secrets rotation and time-bound access for secure automation workflows • Centralized access — Manage secrets for cloud services, VMs, network, databases across hybrid, multi-cloud, on-premises, and edge infrastructure • Automate secret management — Orchestrate HashiCorp Vault integration with hybrid cloud infrastructure for compliance across all environmentsAutomation Domains
The integration covers all infrastructure domains:
| Domain | Use Case | |---|---| | Network | Switch/router credentials, certificate management | | Operating Systems | SSH keys, service accounts, sudo credentials | | Cloud | AWS STS tokens, Azure service principals, GCP service accounts | | Application Delivery | Database passwords, API keys, TLS certificates | | Virtualization | vCenter credentials, hypervisor access | | AIOps | AI model API keys, inference endpoint tokens |
See also: Ansible OIDC Integration with HashiCorp Vault: Zero Trust Credential Management (Complete Guide)
Use Case: Automating HashiCorp Vault Integrations
AAP can configure, set up, and validate HashiCorp Vault with hybrid cloud infrastructure in a 3-step automated workflow:
┌─────────────────┐
│ Ansible AAP │
└────┬────────────┘
│
①─────┼────────────────► Configure Vault
│ (policies, auth methods,
│ secret engines)
②─────┤
│ Install & ┌─────────────────┐
│ configure │ │
└──Vault agent────►│ Target Systems │
│ (OS, Cloud, │
③ check/validate │ Network, etc.) │
◄────setup──────────────┘ │
└─────────────────┘Step 1: Configure Vault
AAP configures the HashiCorp Vault instance:
---
- name: Configure HashiCorp Vault
hosts: vault_servers
become: true
tasks:
- name: Enable KV secrets engine
community.hashi_vault.vault_write:
url: "https://vault.example.com"
path: sys/mounts/secret
data:
type: kv
options:
version: "2"
token: "{{ vault_root_token }}"
- name: Create automation policy
community.hashi_vault.vault_write:
url: "https://vault.example.com"
path: sys/policies/acl/automation
data:
policy: |
path "secret/data/automation/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "database/creds/*" {
capabilities = ["read"]
}
token: "{{ vault_root_token }}"
- name: Enable JWT auth for AAP
community.hashi_vault.vault_write:
url: "https://vault.example.com"
path: sys/auth/jwt
data:
type: jwt
token: "{{ vault_root_token }}"
Step 2: Install and Configure Vault Agent
AAP deploys and configures the Vault agent on target systems:
---
- name: Deploy Vault agent on target systems
hosts: managed_nodes
become: true
tasks:
- name: Install Vault agent
ansible.builtin.package:
name: vault
state: present
- name: Deploy Vault agent configuration
ansible.builtin.template:
src: vault-agent.hcl.j2
dest: /etc/vault.d/agent.hcl
owner: vault
group: vault
mode: '0640'
- name: Start Vault agent
ansible.builtin.systemd:
name: vault
state: started
enabled: true
- name: Verify agent connectivity
ansible.builtin.uri:
url: "http://127.0.0.1:8200/v1/sys/health"
method: GET
register: vault_health
failed_when: vault_health.status not in [200, 429, 472, 473]
Step 3: Check and Validate Setup
---
- name: Validate Vault integration
hosts: managed_nodes
tasks:
- name: Test secret retrieval via agent
ansible.builtin.uri:
url: "http://127.0.0.1:8200/v1/secret/data/automation/test"
method: GET
headers:
X-Vault-Token: "{{ vault_agent_token }}"
register: test_secret
no_log: true
- name: Assert secret was retrieved
ansible.builtin.assert:
that:
- test_secret.status == 200
- test_secret.json.data.data is defined
success_msg: "Vault integration validated successfully"
fail_msg: "Vault integration validation failed"
- name: Test dynamic database credential
community.hashi_vault.vault_read:
url: "http://127.0.0.1:8200"
path: database/creds/app-role
auth_method: agent
register: db_creds
no_log: true
- name: Verify credential has TTL
ansible.builtin.assert:
that: db_creds.data.lease_duration > 0
success_msg: "Dynamic credentials working (TTL: {{ db_creds.data.lease_duration }}s)"
Complete Integration Playbook
---
- name: End-to-end Vault integration
hosts: localhost
connection: local
vars:
vault_url: "https://vault.example.com"
vault_token: "{{ vault_root_token }}"
tasks:
- name: Configure Vault auth method for AAP
community.hashi_vault.vault_write:
url: "{{ vault_url }}"
path: auth/jwt/config
data:
oidc_discovery_url: "https://aap.example.com/.well-known/openid-configuration"
bound_issuer: "https://aap.example.com"
token: "{{ vault_token }}"
- name: Create role for automation jobs
community.hashi_vault.vault_write:
url: "{{ vault_url }}"
path: auth/jwt/role/aap-automation
data:
role_type: jwt
bound_audiences: vault
user_claim: sub
policies: automation
ttl: 1h
token: "{{ vault_token }}"
- name: Store initial secrets
community.hashi_vault.vault_write:
url: "{{ vault_url }}"
path: secret/data/automation/database
data:
data:
hostname: "db.example.com"
port: "5432"
username: "app_user"
password: "{{ vault_db_password }}"
token: "{{ vault_token }}"
no_log: true
See also: AAP 2.6 Credential Management: Vaults, External Secrets, and Machine Credentials
FAQ
Can AAP manage Vault itself?
Yes. AAP can configure Vault (policies, auth methods, secret engines), deploy Vault agents, and validate the entire setup — automating what would otherwise be manual security operations.
Does this work with Vault Enterprise and HCP Vault?
Yes. The integration supports Vault Community Edition, Vault Enterprise, and HCP Vault (HashiCorp Cloud Platform).
What Ansible collection is needed?
The community.hashi_vault collection provides all Vault-related modules. Install via ansible-galaxy collection install community.hashi_vault.
Can I automate secret rotation with this integration?
Yes. Combine Vault's dynamic secrets with AAP's scheduled jobs to automatically rotate credentials across your infrastructure.
How does this relate to Ansible Vault (the encryption tool)?
HashiCorp Vault is an external secrets management platform. Ansible Vault is a built-in tool for encrypting files and variables. They serve different purposes and complement each other — use Ansible Vault for encrypting playbook variables, HashiCorp Vault for centralized secrets management.
Related Articles
• Ansible OIDC + HashiCorp Vault Guide • Red Hat Ansible Automation Platform 2.7: What's New • Ansible Vault Complete Guide • Red Hat Summit 2026 HighlightsCategory: installation