Documentation
PLEASE NOTE: This document applies to latest version and not to the latest stable release v2.20
Documentation for other releases can be found by using the version selector in the top right of any doc page.vault
Interact with HashiCorp Vault for secrets management.
Attributes
check_mode:
support: full
Parameters
| Parameter | Required | Type | Values | Description |
|---|---|---|---|---|
| data | object | The secret data to write (required for state=present). | ||
| engine | string | v2 v1 |
The KV secrets engine version. | |
| mount | string | The mount point for the secrets engine. | ||
| namespace | string | The Vault namespace (Enterprise feature). | ||
| path | true | string | The path to the secret in Vault. | |
| state | string | read present absent |
The desired state of the secret. | |
| token | string | The Vault token for authentication. If not provided, uses VAULT_TOKEN environment variable. | ||
| url | string | The URL of the Vault server. If not provided, uses VAULT_ADDR environment variable. | ||
| validate_certs | boolean | Validate SSL certificates. |
Examples
- name: Read secret from Vault
vault:
path: secret/data/myapp
url: https://vault.example.com
token: '{{ vault_token }}'
state: read
register: secret_data
- name: Write secret to Vault
vault:
path: secret/data/myapp
url: https://vault.example.com
token: '{{ vault_token }}'
data:
username: admin
password: '{{ db_password }}'
state: present
- name: Delete secret
vault:
path: secret/data/oldapp
url: https://vault.example.com
token: '{{ vault_token }}'
state: absent
- name: Read secret with namespace (Vault Enterprise)
vault:
path: secret/data/myapp
url: https://vault.example.com
token: '{{ vault_token }}'
namespace: team-a
state: read
register: secret_data
- name: Write to KV v1 engine
vault:
path: kv/myapp
url: https://vault.example.com
token: '{{ vault_token }}'
engine: v1
data:
key: value
state: present
- name: Use environment variables for connection
vault:
path: secret/data/myapp
state: read
register: secret_data