HashiCorp Vault Collection

This repository contains the hashicorp.vault Ansible Collection.

Description

The primary purpose of this collection is to provide seamless integration between Ansible Automation Platform and HashiCorp Vault. It contains modules and plugins that support managing secrets, namespaces, authentication, and other Vault operations by using Ansible automation.

Requirements

Some modules and plugins require external libraries. Please check the requirements for each plugin or module you use in the documentation to find out which requirements are needed.

Ansible version compatibility

Tested with the Ansible Core >= 2.16.0 versions.

Python version compatibility

Tested with the Python >= 3.10 versions.

Included content

Lookup plugins

Name	Description
hashicorp.vault.kv2_secret_get	Look up KV2 secrets stored in Hasicorp vault

Modules

Name	Description
hashicorp.vault.kv2_secret	Manage HashiCorp Vault KV version 2 secrets
hashicorp.vault.kv2_secret_info	Read HashiCorp Vault KV version 2 secrets
hashicorp.vault.acl_policy	Manage HashiCorp Vault ACL policies
hashicorp.vault.acl_policy_info	List and read HashiCorp Vault ACL policies

Installation

To install this collection from Automation Hub, the following needs to be added to ansible.cfg:

[galaxy]
server_list=automation_hub

[galaxy_server.automation_hub]
url=https://console.redhat.com/api/automation-hub/content/published/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
token=<SuperSecretToken>

To download contents from Automation Hub using ansible-galaxy CLI, you would need to generate and use an offline token. If you already have a token, please ensure that it has not expired. Visit Connect to Hub to obtain the necessary token.

With this configured and Ansible Galaxy command-line tool installed, run the following command:

ansible-galaxy collection install hashicorp.vault

You can also include it in a requirements.yml file and install it via ansible-galaxy collection install -r requirements.yml using the format:

collections:
  - name: hashicorp.vault

To upgrade the collection to the latest available version, run the following command:

ansible-galaxy collection install hashicorp.vault --upgrade

You can also install a specific version of the collection, for example, if you need to downgrade when something is broken in the latest version (please report an issue in this repository). Use the following syntax where X.Y.Z can be any available version:

ansible-galaxy collection install hashicorp.vault:==X.Y.Z

See Ansible Using Collections for more details.

Use Cases

Modules in this collection can be used for various operations on HashiCorp Vault. Currently the collection supports:

• Managing KV2 secrets in HashiCorp Vault (create, read, update, delete [soft-delete])

Testing

GitHub Actions workflows run tests for this collection. The CI uses a two-tier approach:

• Tier 1 (All PRs): Linters, sanity tests, and unit tests run automatically
• Tier 2 (Integration): Vault integration tests run automatically for internal PRs; external PRs require maintainer approval

Running Tests Locally

Linters:

pip install -r requirements-linters.txt
tox -e linters

Unit Tests:

pip install -r test-requirements.txt
pytest tests/unit/

Integration Tests:

Integration tests require a Vault instance.

Copy the integration config template and fill in your Vault details:

cp tests/integration/integration_config.yml.template tests/integration/integration_config.yml

Add you Vault details:

vault_url_from_int_config: "<VAULT_URL_HERE>"
vault_namespace_from_int_config: "<VAULT_NAMESPACE_HERE>" # example: admin/hashicorp-vault-integration-tests
vault_approle_role_id_from_int_config: "<VAULT_APPROLE_ROLE_ID_HERE>"
vault_approle_secret_id_from_int_config: "<VAULT_APPROLE_SECRET_ID_HERE>"

Run the tests:

ansible-test integration <target>

Using a Local Vault Instance:

You can test changes using a local instance of HashiCorp Vault.

Follow this guide to start a local development server: https://developer.hashicorp.com/vault/tutorials/get-started/setup

Prerequisites:

For running the integration tests locally, you need to:

1. Start a Vault dev server
2. Configure AppRole authentication
3. Retrieve the role_id and secret_id
4. Update defaults/main.yml in your integration tests with the required values:

# Example values only — replace with real credentials
vault_url: "http://localhost:8200"
vault_namespace: "admin"
vault_approle_role_id: "xxxxxxxx-60da-6224-d270-xxxxxxxx"
vault_approle_secret_id: "xxxxxxxx-2458-14b9-b643-xxxxxxxx"
vault_resource_suffix: ansible-test

Support

As Red Hat Ansible Certified Content, this collection is entitled to support through the Ansible Automation Platform (AAP) using the Create issue button on the top right corner. If a support case cannot be opened with Red Hat and the collection has been obtained either from Galaxy or GitHub, there may be community help available on the Ansible Forum.

Release Notes and Roadmap

See the changelog.

Related Information

• Ansible collection development forum
• Ansible User guide
• Ansible Developer guide
• Ansible Collections Checklist
• Ansible Community code of conduct
• The Bullhorn (the Ansible Contributor newsletter)
• News for Maintainers

License Information

GNU General Public License v3.0 or later.

See LICENSE to see the full text.