AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

HashiCorp Vault Integration with Ansible: OIDC, PKI, and Dynamic Credentials Complete Guide

By Luca Berton · Published 2024-01-01 · Category: windows-automation

Learn how the hashicorp.vault collection brings OIDC auth, PKI issuance, and dynamic credentials to Ansible Automation Platform 2.7.

Secrets sprawl is one of the quiet killers of automation programs. Static credentials get copied into inventories, pasted into CI variables, and forgotten in vaults nobody rotates. At Red Hat Tech Day Netherlands 2026 (3 June 2026, Bunnik), the Ansible team addressed this head-on by announcing 12 new content collections for Ansible Automation Platform 2.7, spanning cloud, network, ITSM, and Windows operations. Among them, the hashicorp.vault collection stands out for teams that already run HashiCorp Vault as their source of truth for secrets, PKI, and identity.

This guide walks through what the collection delivers — secrets management, OIDC authentication, PKI issuance, dynamic credentials, and Event-Driven Ansible (EDA) integration — and how these pieces fit together in a modern automation pipeline.

Why Vault Integration Matters for Ansible

Ansible has long supported Vault through community modules and the credential_plugin mechanism in AAP, but the new hashicorp.vault collection formalizes and extends that relationship as part of the broader push toward what Red Hat is calling Efficiency, Resilience, Governance, and Scale for AAP 2.7. Instead of bolting Vault lookups onto playbooks as an afterthought, the collection treats Vault as a first-class secrets and identity backend across the automation lifecycle — from how a controller job authenticates, to how a playbook fetches a certificate, to how an event-driven rulebook reacts to a credential lease expiring.

See also: hashicorp.vault Ansible Collection: Complete Guide for AAP 2.7

Core Capabilities in hashicorp.vault

The collection announced at Red Hat Tech Day Netherlands 2026 covers four major capability areas:

CapabilityWhat it solvesTypical use case
Secrets managementRead/write KV v1 and v2 secrets without hardcoding paths in every taskPulling database passwords, API tokens, SSH keys
OIDC authenticationLets Ansible Controller and playbooks authenticate to Vault using your identity provider instead of static tokensSSO-driven job execution, short-lived login sessions
PKI issuanceRequests and manages certificates from Vault's PKI secrets engineTLS certs for web servers, mTLS for service mesh nodes
Dynamic credentialsGenerates short-lived, scoped credentials (cloud, database, SSH) on demandJust-in-time access instead of long-lived shared secrets
EDA integrationReacts to Vault events (lease expiry, secret rotation) via Event-Driven AnsibleAutomated credential rotation and remediation

OIDC Authentication in Practice

Rather than storing a Vault token as a credential in Ansible Controller, teams can configure the collection to authenticate via OIDC, delegating identity verification to an external provider (Okta, Azure AD, Keycloak, etc.). This aligns with the governance theme of AAP 2.7: every automation run is tied to a real identity, tokens are short-lived, and there's no long-lived Vault token sitting in a credential store waiting to be leaked.

PKI Issuance and Dynamic Credentials

The PKI piece lets playbooks request certificates on the fly from Vault's PKI secrets engine — useful for rotating TLS material across fleets of web servers or issuing short-lived certs for service-to-service authentication. Dynamic credentials extend the same just-in-time philosophy to cloud and database access: instead of a static AWS key or database password baked into a credential object, Ansible requests a lease from Vault, uses it for the duration of the job, and lets it expire automatically.

Here's an illustrative example combining a dynamic database credential lookup with a PKI certificate request in a single play:

---
- name: Provision app server with Vault-issued credentials and certificate
  hosts: app_servers
  become: true
  vars:
    vault_addr: "https://vault.internal.example.com:8200"
    vault_pki_role: "web-server-role"
    vault_db_role: "app-readonly"

  tasks:
    - name: Authenticate to Vault via OIDC
      hashicorp.vault.vault_login:
        url: "{{ vault_addr }}"
        auth_method: oidc
        role_id: "ansible-controller-role"
      register: vault_auth

    - name: Request a dynamic database credential
      hashicorp.vault.vault_dynamic_credential:
        url: "{{ vault_addr }}"
        token: "{{ vault_auth.auth.client_token }}"
        secrets_engine: database
        role: "{{ vault_db_role }}"
      register: db_creds
      no_log: true

    - name: Issue a TLS certificate from Vault PKI
      hashicorp.vault.vault_pki_certificate:
        url: "{{ vault_addr }}"
        token: "{{ vault_auth.auth.client_token }}"
        role_name: "{{ vault_pki_role }}"
        common_name: "{{ inventory_hostname }}.internal.example.com"
        ttl: "72h"
      register: tls_cert

    - name: Deploy certificate to application server
      ansible.builtin.copy:
        content: "{{ tls_cert.data.certificate }}"
        dest: /etc/app/tls/server.crt
        mode: "0640"
      no_log: true

    - name: Configure application database connection with leased credential
      ansible.builtin.template:
        src: app-db-config.j2
        dest: /etc/app/db-config.yml
        mode: "0600"
      vars:
        db_username: "{{ db_creds.data.username }}"
        db_password: "{{ db_creds.data.password }}"
      no_log: true

Note the consistent use of no_log: true on tasks handling secret material — a best practice that becomes even more important once dynamic, short-lived credentials are flowing through job output that might otherwise be logged.

See also: AAP MCP Security and Compliance Tool Set: Audit Trails via AI Agents

Event-Driven Ansible Integration

The collection's EDA integration closes the loop on secrets lifecycle management. Rather than relying on cron jobs or manual rotation runbooks, an EDA rulebook can subscribe to Vault lease-expiry or secret-rotation events and trigger a remediation playbook automatically — for example, re-issuing a certificate before it expires, or rotating a database credential the moment a lease is revoked. This mirrors the closed-loop remediation pattern Red Hat also highlighted for splunk.itsi and microsoft.scom at the same event, reinforcing EDA as the connective tissue across the new AAP 2.7 collection lineup.

Where This Fits in the AAP 2.7 Collection Set

hashicorp.vault was one of 12 collections announced together at Red Hat Tech Day Netherlands 2026, alongside cloud collections (google.cloud, azure.azcollection), network operations (cisco.intersight), platform tooling (ansible.platform), observability and ITSM (splunk.enterprise, splunk.es, splunk.itsi), Windows and endpoint management (microsoft.mecm, microsoft.scom, infra.mecm_ops, infra.windows_ops). Secrets and identity are foundational to nearly every one of those domains, which is why Vault integration was positioned as a cross-cutting capability rather than a niche add-on.

See also: Agent Identity and Guardrails: Securing OpenClaw Access to Ansible Automation Platform

Key Takeaways

  • The hashicorp.vault collection brings secrets management, OIDC authentication, PKI issuance, and dynamic credentials into Ansible as native capabilities, not bolted-on lookups.
  • OIDC authentication removes long-lived Vault tokens from Ansible Controller credential stores, tying automation runs to real identities.
  • Dynamic credentials and PKI issuance replace static secrets with short-lived, scoped access — reducing blast radius if a credential leaks.
  • EDA integration enables closed-loop credential rotation, reacting to Vault lease and rotation events without manual intervention.
  • The collection was announced as part of 12 new AAP 2.7 collections at Red Hat Tech Day Netherlands 2026, reflecting secrets management as foundational infrastructure across cloud, network, and endpoint automation.
Always test authentication methods and dynamic credential roles in a non-production Vault namespace before rolling changes into environments where AAP jobs depend on them.

Category: windows-automation

Browse all Ansible tutorials · AnsiblePilot Home