Install and configure HashiCorp Vault Agent on your system.
| GitHub | GitLab | Downloads | Version |
|---|---|---|---|
 |
 |
 |
 |
This example is taken from molecule/default/converge.yml and is tested on each push, pull request and release.
---
- name: Converge
hosts: all
become: true
gather_facts: true
roles:
- role: robertdebock.vault_agent
vault_agent_address: "http://vault.example.com:8200"
vault_agent_auto_auth:
methods:
- name: "approle"
config:
role_id_file_path: "/etc/vault-agent/role_id"
secret_id_file_path: "/etc/vault-agent/secret_id"
# - name: "aws"
# mount_path: "auth/aws-subaccount"
# config:
# type: "iam"
# role: "foobar"
sinks:
- name: file
config:
path: "/tmp/file-foo"
- name: "file"
wrap_ttl: "5m"
aad_env_var: "Test_AAD_ENV"
dh_type: "curve25519"
dh_path: "/tmp/file-foo-dhpath2"
config:
path: "/tmp/file-bar"
vault_agent_listeners:
# - name: "unix"
# address: "/path/to/socket"
# tls_disable: true
# agent_api:
# enable_quit: true
- name: "tcp"
address: "127.0.0.1:8100"
tls_disable: true
# vault_agent_templates:
# - source: "/etc/vault-agent/server.key.ctmpl"
# destination: "/tmp/server.key"
# - source: "/etc/vault-agent/server.crt.ctmpl"
# destination: "/tmp/server.crt"
vault_agent_env_templates:
- name: "USERNAME"
contents: "{{ '{{ with secret \\\"secret/data/foo\\\" }}{{ .Data.data.password }}{{ end }}' }}"
error_on_missing_key: true
- name: "PASSWORD"
contents: "{{ '{{ with secret \\\"secret/data/foo\\\" }}{{ .Data.data.user }}{{ end }}' }}"
error_on_missing_key: true
vault_agent_exec:
command: ["/path/to/my-app", "arg1", "arg2"]
restart_on_secret_changes: "always"
restart_stop_signal: "SIGTERM"The machine needs to be prepared. In CI this is done using molecule/default/prepare.yml:
---
- name: Prepare
hosts: all
become: true
gather_facts: false
roles:
- role: robertdebock.bootstrap
- role: robertdebock.core_dependencies
- role: robertdebock.hashicorp
tasks:
- name: Create /etc/vault-agent directory
ansible.builtin.file:
path: /etc/vault-agent
state: directory
owner: root
group: root
mode: 0755
- name: Place fake approle id and secret
ansible.builtin.copy:
content: "FAKE"
dest: "{{ item }}"
owner: root
group: root
mode: 0644
loop:
- /etc/vault-agent/role_id
- /etc/vault-agent/secret_id
- name: Pleace Vault agent templates
ansible.builtin.copy:
content: "FAKE"
dest: "{{ item }}"
owner: root
group: root
mode: 0644
loop:
- /etc/vault-agent/server.key.ctmpl
- /etc/vault-agent/server.crt.ctmplAlso see a full explanation and example on how to use these roles.
The default values for the variables are set in defaults/main.yml:
---
# defaults file for vault_agent
# The user that owns the Vault configuration files.
vault_agent_user: "vault"
# The group that owns the Vault configuration files.
vault_agent_group: "vault"
# The PID file for the Vault agent.
# vault_agent_pid_file: "./pidfile"
# The Vault address where the agent can connect to.
# vault_agent_address: "http://vault.example.com:8200"
# The number of times to retry connecting to Vault.
vault_agent_retries: 5
# The authentication method to use.
# vault_agent_auto_auth:
# methods:
# - name: "aws"
# mount_path: "auth/aws-subaccount"
# config:
# type: "iam"
# role: "foobar"
# sinks:
# - name: file
# config:
# path: "/tmp/file-foo"
# - name: "file"
# wrap_ttl: "5m"
# aad_env_var: "Test_AAD_ENV"
# dh_type: "curve25519"
# dh_path: "/tmp/file-foo-dhpath2"
# config:
# path: "/tmp/file-bar"
# By specifying (an empty cache configuration), the agent will store the token in the cache.
vault_agent_cache: {}
# Should this Vault offer proxy capabilties?
# vault_agent_api_proxy:
# use_auto_auth_token: true
# A list of listeners to configure.
# vault_agent_listeners:
# - name: "tcp"
# address: "/path/to/socket"
# tls_disable: true
# agent_api:
# enable_quit: true
# - name: "tcp"
# address: "127.0.0.1:8100"
# tls_disable: true
# A list of templates to render. The files mentioned in the source will not be placed by this role.
# vault_agent_templates:
# - source: "/etc/vault/server.key.ctmpl"
# destination: "/etc/vault/server.key"
# - source: "/etc/vault/server.crt.ctmpl"
# destination: "/etc/vault/server.crt"- pip packages listed in requirements.txt.
The following roles are used to prepare a system. You can prepare your system in another way.
| Requirement | GitHub | GitLab |
|---|---|---|
| robertdebock.bootstrap |  |
 |
| robertdebock.core_dependencies |  |
 |
| robertdebock.hashicorp |  |
 |
This role is a part of many compatible roles. Have a look at the documentation of these roles for further information.
Here is an overview of related roles:
This role has been tested on these container images:
| container | tags |
|---|---|
| Amazon | Candidate |
| Debian | all |
| EL | 9 |
| Fedora | 39, 40 |
| Ubuntu | all |
The minimum version of Ansible required is 2.12, tests have been done to:
- The previous version.
- The current version.
- The development version.
If you find issues, please register them in GitHub.
Please consider sponsoring me.