community.hashi_vault.vault_write module – Perform a write operation against HashiCorp Vault
Note
This module is part of the community.hashi_vault collection (version 6.2.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.hashi_vault
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.hashi_vault.vault_write
.
New in community.hashi_vault 2.4.0
Synopsis
Performs a generic write operation against a given path in HashiCorp Vault, returning any output.
Requirements
The below requirements are needed on the host that executes this module.
hvac
(Python library)For detailed requirements, see the collection requirements page.
Parameters
Parameter |
Comments |
---|---|
Authentication method to be used.
Choices:
|
|
The AWS access key to use. |
|
If specified, sets the value to use for the |
|
The AWS profile |
|
The AWS secret key that corresponds to the access key. |
|
The AWS security token if using temporary access and secret keys. |
|
The client ID (also known as application ID) of the Azure AD service principal or managed identity. Should be a UUID. If not specified, will use the system assigned managed identity. |
|
The client secret of the Azure AD service principal. |
|
The resource URL for the application registered in Azure Active Directory. Usually should not be changed from the default. Default: |
|
The Azure Active Directory Tenant ID (also known as the Directory ID) of the service principal. Should be a UUID. Required when using a service principal to authenticate to Vault, e.g. required when both azure_client_id and azure_client_secret are specified. Optional when using managed identity to authenticate to Vault. |
|
Path to certificate to use for authentication. If not specified by any other means, the |
|
For |
|
For |
|
A dictionary to be serialized to JSON and then sent as the request body. If the dictionary contains keys named Default: |
|
The JSON Web Token (JWT) to use for JWT authentication to Vault. |
|
Vault mount point. If not specified, the default mount point for a given auth method is used. Does not apply to token authentication. |
|
Vault namespace where secrets reside. This option requires HVAC 0.7.0+ and Vault 0.11+. Optionally, this may be achieved by prefixing the authentication mount point and/or secret path with the namespace (e.g If environment variable |
|
Authentication password. |
|
Vault path to be written to. |
|
URL(s) to the proxies used to access the Vault service. It can be a string or a dict. If it’s a dict, provide the scheme (eg. If it’s a string, provide a single URL that will be used as the proxy for both A string that can be interpreted as a dictionary will be converted to one (see examples). You can specify a different proxy for HTTP and HTTPS resources. If not specified, environment variables from the Requests library are used. |
|
The AWS region for which to create the connection. |
|
Allows for retrying on errors, based on the Retry class in the urllib3 library. This collection defines recommended defaults for retrying connections to Vault. This option can be specified as a positive number (integer) or dictionary. If this option is not specified or the number is A number sets the total number of retries, and uses collection defaults for the other settings. A dictionary value is used directly to initialize the For detailed information on retries, see the collection User Guide. |
|
Controls whether and how to show messages on retries. This has no effect if a request is not retried. Choices:
|
|
Vault Role ID or name. Used in For For |
|
Secret ID to be used for Vault AppRole authentication. |
|
Sets the connection timeout in seconds. If not set, then the |
|
Vault token. Token may be specified explicitly, through the listed [env] vars, and also through the If no token is supplied, explicitly or through env, then the plugin will check for a token file, as determined by token_path and token_file. The order of token loading (first found wins) is |
|
If no token is specified, will try to read the token from this file in token_path. Default: |
|
If no token is specified, will try to read the token_file from this path. |
|
For token auth, will perform a Disable if your token does not have the Choices:
|
|
URL to the Vault service. If not specified by any other means, the value of the If |
|
Authentication user name. |
|
Controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones. Will be populated with the inverse of Will default to Choices:
|
|
Specifies response wrapping token creation with duration. For example |
Attributes
Attribute |
Support |
Description |
---|---|---|
Action group: community.hashi_vault.vault |
Use |
|
Support: partial In check mode, an empty response will be returned and the write will not be performed. |
Can run in |
Notes
Note
vault_write
is a generic module to do operations that do not yet have a dedicated module. Where a specific module exists, that should be used instead.The data option is not treated as secret and may be logged. Use the
no_log
keyword if data contains sensitive values.This module always reports
changed
status because it cannot guarantee idempotence.Use
changed_when
to control that in cases where the operation is known to not change state.
See Also
See also
- community.hashi_vault.vault_write lookup
The official documentation for the
community.hashi_vault.vault_write
lookup plugin.- community.hashi_vault.vault_read
Perform a read operation against HashiCorp Vault.
- community.hashi_vault.vault_read lookup
The official documentation for the
community.hashi_vault.vault_read
lookup plugin.
Examples
- name: Write a value to the cubbyhole via the remote host with userpass auth
community.hashi_vault.vault_write:
url: https://vault:8201
path: cubbyhole/mysecret
data:
key1: val1
key2: val2
auth_method: userpass
username: user
password: '{{ passwd }}'
register: result
- name: Display the result of the write (this can be empty)
ansible.builtin.debug:
msg: "{{ result.data }}"
- name: Write secret to Vault using key value V2 engine
community.hashi_vault.vault_write:
path: secret/data/mysecret
data:
data:
key1: val1
key2: val2
- name: Retrieve an approle role ID from Vault via the remote host
community.hashi_vault.vault_read:
url: https://vault:8201
path: auth/approle/role/role-name/role-id
register: approle_id
- name: Generate a secret-id for the given approle
community.hashi_vault.vault_write:
url: https://vault:8201
path: auth/approle/role/role-name/secret-id
register: secret_id
- name: Display the role ID and secret ID
ansible.builtin.debug:
msg:
- "role-id: {{ approle_id.data.data.role_id }}"
- "secret-id: {{ secret_id.data.data.secret_id }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The raw result of the write against the given path. Returned: success |