ansible.builtin.vault filter – vault your secrets
Note
This filter plugin is part of ansible-core
and included in all Ansible
installations. In most cases, you can use the short
plugin name
vault
even without specifying the collections:
keyword.
However, we recommend you use the FQCN for easy linking to the
plugin documentation and to avoid conflicting with other collections that may have
the same filter plugin name.
New in ansible-core 2.12
Synopsis
Put your information into an encrypted Ansible Vault.
Input
This describes the input of the filter, the value before | ansible.builtin.vault
.
Parameter |
Comments |
---|---|
Data to vault. |
Positional parameters
This describes positional parameters of the filter. These are the values positional1
, positional2
and so on in the following
example: input | ansible.builtin.vault(positional1, positional2, ...)
Parameter |
Comments |
---|---|
Vault secret, the key that lets you open the vault. |
Keyword parameters
This describes keyword parameters of the filter. These are the values key1=value1
, key2=value2
and so on in the following
example: input | ansible.builtin.vault(key1=value1, key2=value2, ...)
Parameter |
Comments |
---|---|
Encryption salt, will be random if not provided. While providing one makes the resulting encrypted string reproducible, it can lower the security of the vault. |
|
Secret identifier, used internally to try to best match a secret when multiple are provided. Default: |
|
This toggle can force the return of an Mostly useful when combining with the Choices:
|
Notes
Note
When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters:
input | ansible.builtin.vault(positional1, positional2, key1=value1, key2=value2)
Examples
# simply encrypt my key in a vault
vars:
myvaultedkey: "{{ keyrawdata|vault(passphrase) }} "
- name: save templated vaulted data
template: src=dump_template_data.j2 dest=/some/key/vault.txt
vars:
mysalt: '{{2**256|random(seed=inventory_hostname)}}'
template_data: '{{ secretdata|vault(vaultsecret, salt=mysalt) }}'
Return Value
Key |
Description |
---|---|
The vault string that contains the secret data (or Returned: success |