ansible.builtin.vault filter – vault your secrets
Note
This filter plugin is part of ansible-core and included in all Ansible
installations. In most cases, you can use the short
plugin name
vault even without specifying the collections: keyword.
However, we recommend you use the FQCN for easy linking to the
plugin documentation and to avoid conflicting with other collections that may have
the same filter plugin name.
New in ansible-core 2.12
Synopsis
Put your information into an encrypted Ansible Vault.
Input
This describes the input of the filter, the value before | ansible.builtin.vault.
Parameter |
Comments |
|---|---|
Data to vault. |
Positional parameters
This describes positional parameters of the filter. These are the values positional1, positional2 and so on in the following example: input | ansible.builtin.vault(positional1, positional2, ...).
Parameter |
Comments |
|---|---|
Vault secret, the key that lets you open the vault. |
Keyword parameters
This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following example: input | ansible.builtin.vault(key1=value1, key2=value2, ...).
Parameter |
Comments |
|---|---|
Encryption salt, will be random if not provided. While providing one makes the resulting encrypted string reproducible, it can lower the security of the vault. |
|
Secret identifier, used internally to try to best match a secret when multiple are provided. Default: |
|
This toggle can force the return of an Mostly useful when combining with the Choices:
|
Examples
# simply encrypt my key in a vault
vars:
myvaultedkey: "{{ keyrawdata|vault(passphrase) }} "
- name: save templated vaulted data
template: src=dump_template_data.j2 dest=/some/key/vault.txt
vars:
mysalt: '{{2**256|random(seed=inventory_hostname)}}'
template_data: '{{ secretdata|vault(vaultsecret, salt=mysalt) }}'
Return Value
Key |
Description |
|---|---|
The vault string that contains the secret data (or Returned: success |