ansible.builtin.unvault filter – Open an Ansible Vault

Note

This filter plugin is part of ansible-core and included in all Ansible installations. In most cases, you can use the short plugin name unvault even without specifying the collections: keyword. However, we recommend you use the FQCN for easy linking to the plugin documentation and to avoid conflicting with other collections that may have the same filter plugin name.

New in ansible-core 2.12

Synopsis

  • Retrieve your information from an encrypted Ansible Vault.

Input

This describes the input of the filter, the value before | ansible.builtin.unvault.

Parameter

Comments

Input

string / required

Vault string, or an AnsibleVaultEncryptedUnicode string object.

Positional parameters

This describes positional parameters of the filter. These are the values positional1, positional2 and so on in the following example: input | ansible.builtin.unvault(positional1, positional2, ...).

Parameter

Comments

secret

string / required

Vault secret, the key that lets you open the vault.

Keyword parameters

This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following example: input | ansible.builtin.unvault(key1=value1, key2=value2, ...).

Parameter

Comments

vault_id

string

Secret identifier, used internally to try to best match a secret when multiple are provided.

Default: "filter_default"

Examples

# simply decrypt my key from a vault
vars:
  mykey: "{{ myvaultedkey|unvault(passphrase) }} "

- name: save templated unvaulted data
  template: src=dump_template_data.j2 dest=/some/key/clear.txt
  vars:
    template_data: '{{ secretdata|unvault(vaultsecret) }}'

Return Value

Key

Description

Return value

string

The string that was contained in the vault.

Returned: success

Authors

  • Brian Coca (@bcoca)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.