ansible.builtin.vault filter – vault your secrets

Note

This filter plugin is part of ansible-core and included in all Ansible installations. In most cases, you can use the short plugin name vault even without specifying the collections: keyword. However, we recommend you use the FQCN for easy linking to the plugin documentation and to avoid conflicting with other collections that may have the same filter plugin name.

New in ansible-core 2.12

Synopsis

  • Put your information into an encrypted Ansible Vault.

Input

This describes the input of the filter, the value before | ansible.builtin.vault.

Parameter

Comments

Input

string / required

Data to vault.

Positional parameters

This describes positional parameters of the filter. These are the values positional1, positional2 and so on in the following example: input | ansible.builtin.vault(positional1, positional2, ...)

Parameter

Comments

secret

string / required

Vault secret, the key that lets you open the vault.

Keyword parameters

This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following example: input | ansible.builtin.vault(key1=value1, key2=value2, ...)

Parameter

Comments

salt

string

Encryption salt, will be random if not provided.

While providing one makes the resulting encrypted string reproducible, it can lower the security of the vault.

vault_id

string

Secret identifier, used internally to try to best match a secret when multiple are provided.

Default: "filter_default"

wrap_object

boolean

This toggle can force the return of an AnsibleVaultEncryptedUnicode string object, when False, you get a simple string.

Mostly useful when combining with the to_yaml filter to output the ‘inline vault’ format.

Choices:

  • false ← (default)

  • true

Notes

Note

  • When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters: input | ansible.builtin.vault(positional1, positional2, key1=value1, key2=value2)

Examples

# simply encrypt my key in a vault
vars:
  myvaultedkey: "{{ keyrawdata|vault(passphrase) }} "

- name: save templated vaulted data
  template: src=dump_template_data.j2 dest=/some/key/vault.txt
  vars:
    mysalt: '{{2**256|random(seed=inventory_hostname)}}'
    template_data: '{{ secretdata|vault(vaultsecret, salt=mysalt) }}'

Return Value

Key

Description

Return value

string

The vault string that contains the secret data (or AnsibleVaultEncryptedUnicode string object).

Returned: success

Authors

  • Brian Coca (@bcoca)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.