hashicorp.vault Ansible Collection: Complete Guide for AAP 2.7
By Luca Berton · Published 2026-06-29 · Category: installation
Guide to the hashicorp.vault certified Ansible collection: KV secrets, dynamic credentials, PKI workflows, Vault policies, and Event-Driven Ansible integration.
The hashicorp.vault collection is Red Hat's certified Ansible collection for HashiCorp Vault, highlighted as a key addition in AAP 2.7. It provides a complete set of content for managing Vault policies, authentication methods, dynamic secrets, PKI workflows, and enterprise features such as namespaces and multi-tenant configurations.
If you've been using community.hashi_vault, Red Hat provides documented migration guidance to help you transition to the certified collection with minimal disruption.
Installing hashicorp.vault
# Install from Red Hat Automation Hub (certified version)
ansible-galaxy collection install hashicorp.vault
# Or from Ansible Galaxy
ansible-galaxy collection install hashicorp.vault
# Add to requirements.yml# requirements.yml
collections:
- name: hashicorp.vault
version: ">=1.0.0"See also: AAP 2.6 Credential Management: Vaults, External Secrets, and Machine Credentials
Connecting to Vault
All hashicorp.vault modules support the same connection parameters:
vars:
vault_url: "https://vault.example.com"
vault_token: "{{ lookup('env', 'VAULT_TOKEN') }}"
# Or use AppRole authentication
vault_auth_method: approle
vault_role_id: "{{ vault_role_id }}"
vault_secret_id: "{{ vault_secret_id }}"For AAP 2.7 OIDC integration (technology preview), AAP issues short-lived JWT tokens automatically:
vars:
vault_url: "https://vault.example.com"
vault_auth_method: jwt
vault_role: "ansible-automation"
# ansible_oidc_token is injected automatically by AAP 2.7
vault_jwt: "{{ ansible_oidc_token }}"KV Secret Lookups
Read KV v2 secrets directly in your playbooks:
- name: Retrieve database credentials from Vault
hosts: app_servers
tasks:
- name: Read DB creds from KV v2
hashicorp.vault.vault_kv2_get:
url: "{{ vault_url }}"
token: "{{ vault_token }}"
path: "secret/data/production/database"
register: db_secret
no_log: true
- name: Configure application
ansible.builtin.template:
src: app-config.j2
dest: /etc/myapp/config.yml
vars:
db_host: "{{ db_secret.data.data.host }}"
db_user: "{{ db_secret.data.data.username }}"
db_pass: "{{ db_secret.data.data.password }}"Using the Lookup Plugin
For inline secret retrieval without task registration:
- name: Deploy with inline secret lookup
hosts: localhost
tasks:
- name: Create config from Vault secret
ansible.builtin.copy:
content: |
api_key: {{ lookup('hashicorp.vault.hashi_vault', 'secret=secret/data/api_keys:api_key') }}
api_secret: {{ lookup('hashicorp.vault.hashi_vault', 'secret=secret/data/api_keys:api_secret') }}
dest: /etc/myapp/credentials.conf
mode: "0600"See also: Integrating HashiCorp Vault with Event-Driven Ansible in AAP 2.6
Policy Management
Create and manage Vault policies with Ansible:
- name: Manage Vault policies
hosts: localhost
connection: local
tasks:
- name: Create ansible-automation policy
hashicorp.vault.vault_policy:
url: "{{ vault_url }}"
token: "{{ vault_root_token }}"
name: "ansible-automation"
policy: |
path "secret/data/production/*" {
capabilities = ["read", "list"]
}
path "database/creds/prod-role" {
capabilities = ["read"]
}
path "pki/issue/web-cert" {
capabilities = ["update"]
}
state: present
- name: Create read-only policy for operators
hashicorp.vault.vault_policy:
url: "{{ vault_url }}"
token: "{{ vault_root_token }}"
name: "operator-readonly"
policy: |
path "secret/data/+/config" {
capabilities = ["read"]
}
state: presentAuthentication Methods
Configure and manage Vault authentication backends:
- name: Enable AppRole authentication
hashicorp.vault.vault_auth:
url: "{{ vault_url }}"
token: "{{ vault_root_token }}"
path: "approle"
type: "approle"
state: present
- name: Enable JWT authentication for AAP OIDC
hashicorp.vault.vault_auth:
url: "{{ vault_url }}"
token: "{{ vault_root_token }}"
path: "jwt"
type: "jwt"
config:
oidc_discovery_url: "https://aap.example.com/.well-known/openid-configuration"
default_role: "ansible-automation"
state: present
- name: Create JWT role for AAP workloads
hashicorp.vault.vault_jwt_auth_role:
url: "{{ vault_url }}"
token: "{{ vault_root_token }}"
path: "jwt"
name: "ansible-automation"
bound_audiences:
- "https://vault.example.com"
user_claim: "sub"
policies:
- "ansible-automation"
ttl: "1h"
state: presentSee also: HashiCorp Vault Integration with Ansible Automation Platform: Credential Management at Scale
Dynamic Secrets: Database Credentials
Replace static database passwords with Vault-generated, time-limited credentials:
- name: Configure dynamic database secrets
hosts: localhost
connection: local
tasks:
- name: Enable database secrets engine
hashicorp.vault.vault_secret_engine:
url: "{{ vault_url }}"
token: "{{ vault_root_token }}"
path: "database"
type: "database"
state: present
- name: Configure PostgreSQL connection
hashicorp.vault.vault_database_config:
url: "{{ vault_url }}"
token: "{{ vault_root_token }}"
path: "database/config/prod-postgres"
plugin_name: "postgresql-database-plugin"
connection_url: "postgresql://{{username}}:{{password}}@postgres.prod.example.com:5432/appdb"
username: "vault-admin"
password: "{{ vault_db_admin_password }}"
allowed_roles:
- "app-role"
- "readonly-role"
state: present
- name: Create database role with TTL
hashicorp.vault.vault_database_role:
url: "{{ vault_url }}"
token: "{{ vault_root_token }}"
path: "database/roles/app-role"
db_name: "prod-postgres"
creation_statements:
- "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"
- "GRANT app_role TO \"{{name}}\";"
default_ttl: "1h"
max_ttl: "24h"
state: present
- name: Use dynamic credentials in application deployment
hosts: app_servers
tasks:
- name: Get dynamic database credentials
hashicorp.vault.vault_database_creds:
url: "{{ vault_url }}"
token: "{{ vault_app_token }}"
path: "database/creds/app-role"
register: dynamic_creds
no_log: true
- name: Configure app with dynamic credentials
ansible.builtin.template:
src: db-config.j2
dest: /etc/app/database.yml
mode: "0600"
vars:
db_username: "{{ dynamic_creds.data.username }}"
db_password: "{{ dynamic_creds.data.password }}"PKI Workflows: Short-Lived SSH Keys
Issue and manage TLS certificates and SSH keys through Vault's PKI engine:
- name: Issue TLS certificate for web server
hosts: localhost
connection: local
tasks:
- name: Issue certificate
hashicorp.vault.vault_pki_issue:
url: "{{ vault_url }}"
token: "{{ vault_token }}"
path: "pki/issue/web-cert"
common_name: "web01.prod.example.com"
ttl: "24h"
alt_names:
- "web01"
- "web01.internal"
ip_sans:
- "10.0.1.50"
register: tls_cert
no_log: true
- name: Deploy certificate to web server
ansible.builtin.copy:
content: "{{ tls_cert.data.certificate }}"
dest: /etc/nginx/ssl/server.crt
mode: "0644"
delegate_to: web01.prod.example.com
- name: Deploy private key
ansible.builtin.copy:
content: "{{ tls_cert.data.private_key }}"
dest: /etc/nginx/ssl/server.key
mode: "0600"
delegate_to: web01.prod.example.com
no_log: trueEnterprise Features: Namespaces
For enterprise Vault deployments with namespaces:
- name: Manage secrets in a namespace
hosts: localhost
tasks:
- name: Write secret to team namespace
hashicorp.vault.vault_kv2_put:
url: "{{ vault_url }}"
token: "{{ vault_token }}"
namespace: "engineering/backend-team"
path: "secret/data/app-config"
data:
api_endpoint: "https://api.internal.example.com"
feature_flags_enabled: true
state: present
- name: Read secret from namespace
hashicorp.vault.vault_kv2_get:
url: "{{ vault_url }}"
token: "{{ vault_token }}"
namespace: "engineering/backend-team"
path: "secret/data/app-config"
register: app_configEvent-Driven Ansible Integration
Trigger rulebook workflows based on Vault events. The hashicorp.vault collection includes source plugins for EDA:
# vault-rulebook.yml
- name: React to Vault secret renewals
hosts: all
sources:
- hashicorp.vault.vault_event_source:
url: "{{ vault_url }}"
token: "{{ vault_token }}"
event_types:
- secret_renewal
- policy_change
- auth_failure
poll_interval: 60
rules:
- name: Rotate app credentials on secret renewal
condition: event.type == "secret_renewal" and "production" in event.path
action:
run_job_template:
name: "Rotate Application Credentials"
organization: "Platform Engineering"
- name: Alert on auth failures
condition: event.type == "auth_failure"
action:
run_job_template:
name: "Security Alert - Vault Auth Failure"
organization: "Security Operations"
extra_vars:
failed_path: "{{ event.path }}"
source_ip: "{{ event.source_ip }}"Migrating from community.hashi_vault
Red Hat provides migration documentation to help transition from community.hashi_vault. The main mapping:
| community.hashi_vault | hashicorp.vault | Notes |
|---|---|---|
community.hashi_vault.vault_kv2_get | hashicorp.vault.vault_kv2_get | Same parameters |
community.hashi_vault.vault_write | hashicorp.vault.vault_write | Same parameters |
community.hashi_vault.hashi_vault (lookup) | hashicorp.vault.hashi_vault (lookup) | Same syntax |
community.hashi_vault.vault_token_create | hashicorp.vault.vault_token_create | Same parameters |
community.hashi_vault with hashicorp.vault. Test in a staging environment before migrating production playbooks.
# Find all usages in your playbooks
grep -r "community.hashi_vault" /path/to/playbooks/
# Update namespace (macOS)
find /path/to/playbooks -name "*.yml" -exec \
sed -i '' 's/community\.hashi_vault\./hashicorp\.vault\./g' {} \;Conclusion
The hashicorp.vault certified collection brings enterprise-grade secrets management automation to Ansible Automation Platform 2.7. Dynamic credentials eliminate static password sprawl, PKI workflows automate certificate lifecycle, and EDA integration enables real-time response to Vault events. The migration path from community.hashi_vault is straightforward for most use cases.
Related Articles
Category: installation