Join AnsibleFest at Red Hat Summit!

ansible.builtin.vault filter – vault your secrets

Note

This filter plugin is part of ansible-core and included in all Ansible installations. In most cases, you can use the short plugin name vault. However, we recommend you use the Fully Qualified Collection Name (FQCN) ansible.builtin.vault for easy linking to the plugin documentation and to avoid conflicting with other collections that may have the same filter plugin name.

New in ansible-core 2.12

Synopsis

  • Put your information into an encrypted Ansible Vault.

Input

This describes the input of the filter, the value before | ansible.builtin.vault.

Parameter

Comments

Input

string / required

Data to vault.

Positional parameters

This describes positional parameters of the filter. These are the values positional1, positional2 and so on in the following example: input | ansible.builtin.vault(positional1, positional2, ...)

Parameter

Comments

secret

string / required

Vault secret, the key that lets you open the vault.

Keyword parameters

This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following example: input | ansible.builtin.vault(key1=value1, key2=value2, ...)

Parameter

Comments

salt

string

Encryption salt, will be random if not provided.

While providing one makes the resulting encrypted string reproducible, it can lower the security of the vault.

vault_id

string

Secret identifier, used internally to try to best match a secret when multiple are provided.

Default: "filter_default"

wrap_object

boolean

This toggle can force the return of a VaultedValue-tagged string object, when False, you get a simple string.

Mostly useful when combining with the to_yaml filter to output the ‘inline vault’ format.

Choices:

  • false ← (default)

  • true

Notes

Note

  • When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters: input | ansible.builtin.vault(positional1, positional2, key1=value1, key2=value2)

Examples

# Encrypt a value using the vault filter
vars:
  myvaultedkey: "{{ 'my_secret_key' | vault('my_vault_password') }}"

# Encrypt a value and save it to a file using the template module
vars:
  template_data: "{{ 'my_sensitive_data' | vault('another_vault_password', salt=(2**256 | random(seed=inventory_hostname))) }}"

# The content of dump_template_data.j2 looks like
#     Encrypted secret: {{ template_data }}
- name: Save vaulted data
  template:
    src: dump_template_data.j2
    dest: /some/key/vault.txt

Return Value

Key

Description

Return value

string

The vault string that contains the secret data (or VaultedValue-tagged string object).

Returned: success

Authors

  • Brian Coca (@bcoca)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.