ansible.builtin.vault filter – vault your secrets

Note

This filter plugin is part of ansible-core and included in all Ansible installations. In most cases, you can use the short plugin name vault. However, we recommend you use the Fully Qualified Collection Name (FQCN) ansible.builtin.vault for easy linking to the plugin documentation and to avoid conflicting with other collections that may have the same filter plugin name.

New in ansible-core 2.12

Synopsis

  • Put your information into an encrypted Ansible Vault.

Input

This describes the input of the filter, the value before | ansible.builtin.vault.

Parameter

Comments

Input

string / required

Data to vault.

Positional parameters

This describes positional parameters of the filter. These are the values positional1, positional2 and so on in the following example: input | ansible.builtin.vault(positional1, positional2, ...)

Parameter

Comments

secret

string / required

Vault secret, the key that lets you open the vault.

Keyword parameters

This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following example: input | ansible.builtin.vault(key1=value1, key2=value2, ...)

Parameter

Comments

salt

string

Encryption salt, will be random if not provided.

While providing one makes the resulting encrypted string reproducible, it can lower the security of the vault.

vault_id

string

Secret identifier, used internally to try to best match a secret when multiple are provided.

Default: "filter_default"

wrap_object

boolean

This toggle can force the return of an AnsibleVaultEncryptedUnicode string object, when False, you get a simple string.

Mostly useful when combining with the to_yaml filter to output the ‘inline vault’ format.

Choices:

  • false ← (default)

  • true

Notes

Note

  • When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters: input | ansible.builtin.vault(positional1, positional2, key1=value1, key2=value2)

Examples

# simply encrypt my key in a vault
vars:
  myvaultedkey: "{{ keyrawdata|vault(passphrase) }} "

- name: save templated vaulted data
  template: src=dump_template_data.j2 dest=/some/key/vault.txt
  vars:
    mysalt: '{{2**256|random(seed=inventory_hostname)}}'
    template_data: '{{ secretdata|vault(vaultsecret, salt=mysalt) }}'

Return Value

Key

Description

Return value

string

The vault string that contains the secret data (or AnsibleVaultEncryptedUnicode string object).

Returned: success

Authors

  • Brian Coca (@bcoca)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.