vault¶
Collection Note
This module is part of the ansible.builtin collection. To install the collection, use:
Added in version2.12.
Synopsis¶
- Put your information into an encrypted Ansible Vault.
Parameters¶
| Parameter | Defaults / Choices | Comments |
|---|---|---|
| _input string required |
Data to vault. | |
| salt string |
Encryption salt, will be random if not provided. While providing one makes the resulting encrypted string reproducible, it can lower the security of the vault. |
|
| secret string required |
Vault secret, the key that lets you open the vault. | |
| vault_id string |
Default: filter_default |
Secret identifier, used internally to try to best match a secret when multiple are provided. |
| wrap_object bool |
This toggle can force the return of a C(VaultedValue)-tagged string object, when V(False), you get a simple string. Mostly useful when combining with the C(to_yaml) filter to output the 'inline vault' format. |
Examples¶
# Encrypt a value using the vault filter
vars:
myvaultedkey: "{{ 'my_secret_key' | vault('my_vault_password') }}"
# Encrypt a value and save it to a file using the template module
vars:
template_data: "{{ 'my_sensitive_data' | vault('another_vault_password', salt=(2**256 | random(seed=inventory_hostname))) }}"
# The content of dump_template_data.j2 looks like
# Encrypted secret: {{ template_data }}
- name: Save vaulted data
template:
src: dump_template_data.j2
dest: /some/key/vault.txt
Return Values¶
| Key | Data Type | Description | Returned |
|---|---|---|---|
| _value | string | The vault string that contains the secret data (or C(VaultedValue)-tagged string object). |
Authors¶
- Brian Coca (@bcoca)