{"id":15140701,"url":"https://github.com/robertdebock/ansible-role-vault_agent","last_synced_at":"2026-03-13T18:07:43.649Z","repository":{"id":241059187,"uuid":"804197393","full_name":"robertdebock/ansible-role-vault_agent","owner":"robertdebock","description":"Install and configure HashiCorp Vault Agent on your system.","archived":false,"fork":false,"pushed_at":"2025-03-06T16:28:22.000Z","size":79,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-06-22T00:53:03.034Z","etag":null,"topics":["ansible","application","cloud","infrastructure","linux","molecule","playbook","security","system","tools","tox","vaultagent"],"latest_commit_sha":null,"homepage":"https://robertdebock.nl/","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/robertdebock.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"robertdebock"}},"created_at":"2024-05-22T06:21:52.000Z","updated_at":"2025-03-06T16:12:13.000Z","dependencies_parsed_at":"2025-03-06T14:41:11.852Z","dependency_job_id":null,"html_url":"https://github.com/robertdebock/ansible-role-vault_agent","commit_stats":null,"previous_names":["robertdebock/ansible-role-vault_agent"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/robertdebock/ansible-role-vault_agent","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-vault_agent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-vault_agent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-vault_agent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-vault_agent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/robertdebock","download_url":"https://codeload.github.com/robertdebock/ansible-role-vault_agent/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-vault_agent/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262137149,"owners_count":23264675,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","application","cloud","infrastructure","linux","molecule","playbook","security","system","tools","tox","vaultagent"],"created_at":"2024-09-26T08:40:21.478Z","updated_at":"2026-03-13T18:07:43.643Z","avatar_url":"https://github.com/robertdebock.png","language":"Jinja","funding_links":["https://github.com/sponsors/robertdebock"],"categories":[],"sub_categories":[],"readme":"# [Ansible role vault_agent](#ansible-role-vault_agent)\n\nInstall and configure HashiCorp Vault Agent on your system.\n\n|GitHub|GitLab|Downloads|Version|\n|------|------|---------|-------|\n|[![github](https://github.com/robertdebock/ansible-role-vault_agent/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-vault_agent/actions)|[![gitlab](https://gitlab.com/robertdebock-iac/ansible-role-vault_agent/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-vault_agent)|[![downloads](https://img.shields.io/ansible/role/d/robertdebock/vault_agent)](https://galaxy.ansible.com/robertdebock/vault_agent)|[![Version](https://img.shields.io/github/release/robertdebock/ansible-role-vault_agent.svg)](https://github.com/robertdebock/ansible-role-vault_agent/releases/)|\n\n## [Example Playbook](#example-playbook)\n\nThis example is taken from [`molecule/default/converge.yml`](https://github.com/robertdebock/ansible-role-vault_agent/blob/master/molecule/default/converge.yml) and is tested on each push, pull request and release.\n\n```yaml\n---\n- name: Converge\n  hosts: all\n  become: true\n  gather_facts: true\n\n  roles:\n    - role: robertdebock.vault_agent\n      vault_agent_address: \"http://vault.example.com:8200\"\n      vault_agent_auto_auth:\n        methods:\n          - name: \"approle\"\n            config:\n              role_id_file_path: \"/etc/vault-agent/role_id\"\n              secret_id_file_path: \"/etc/vault-agent/secret_id\"\n        #   - name: \"aws\"\n        #     mount_path: \"auth/aws-subaccount\"\n        #     config:\n        #       type: \"iam\"\n        #       role: \"foobar\"\n        sinks:\n          - name: file\n            config:\n              path: \"/tmp/file-foo\"\n          - name: \"file\"\n            wrap_ttl: \"5m\"\n            aad_env_var: \"Test_AAD_ENV\"\n            dh_type: \"curve25519\"\n            dh_path: \"/tmp/file-foo-dhpath2\"\n            config:\n              path: \"/tmp/file-bar\"\n      vault_agent_listeners:\n        # - name: \"unix\"\n        #   address: \"/path/to/socket\"\n        #   tls_disable: true\n        #   agent_api:\n        #     enable_quit: true\n        - name: \"tcp\"\n          address: \"127.0.0.1:8100\"\n          tls_disable: true\n      # vault_agent_templates:\n      #   - source: \"/etc/vault-agent/server.key.ctmpl\"\n      #     destination: \"/tmp/server.key\"\n      #   - source: \"/etc/vault-agent/server.crt.ctmpl\"\n      #     destination: \"/tmp/server.crt\"\n      vault_agent_env_templates:\n        - name: \"USERNAME\"\n          contents: \"{{ '{{ with secret \\\\\\\"secret/data/foo\\\\\\\" }}{{ .Data.data.password }}{{ end }}' }}\"\n          error_on_missing_key: true\n        - name: \"PASSWORD\"\n          contents: \"{{ '{{ with secret \\\\\\\"secret/data/foo\\\\\\\" }}{{ .Data.data.user }}{{ end }}' }}\"\n          error_on_missing_key: true\n      vault_agent_exec:\n        command: [\"/path/to/my-app\", \"arg1\", \"arg2\"]\n        restart_on_secret_changes: \"always\"\n        restart_stop_signal: \"SIGTERM\"\n```\n\nThe machine needs to be prepared. In CI this is done using [`molecule/default/prepare.yml`](https://github.com/robertdebock/ansible-role-vault_agent/blob/master/molecule/default/prepare.yml):\n\n```yaml\n---\n- name: Prepare\n  hosts: all\n  become: true\n  gather_facts: false\n\n  roles:\n    - role: robertdebock.bootstrap\n    - role: robertdebock.core_dependencies\n    - role: robertdebock.hashicorp\n\n  tasks:\n    - name: Create /etc/vault-agent directory\n      ansible.builtin.file:\n        path: /etc/vault-agent\n        state: directory\n        owner: root\n        group: root\n        mode: 0755\n\n    - name: Place fake approle id and secret\n      ansible.builtin.copy:\n        content: \"FAKE\"\n        dest: \"{{ item }}\"\n        owner: root\n        group: root\n        mode: 0644\n      loop:\n        - /etc/vault-agent/role_id\n        - /etc/vault-agent/secret_id\n\n    - name: Pleace Vault agent templates\n      ansible.builtin.copy:\n        content: \"FAKE\"\n        dest: \"{{ item }}\"\n        owner: root\n        group: root\n        mode: 0644\n      loop:\n        - /etc/vault-agent/server.key.ctmpl\n        - /etc/vault-agent/server.crt.ctmpl\n```\n\nAlso see a [full explanation and example](https://robertdebock.nl/how-to-use-these-roles.html) on how to use these roles.\n\n## [Role Variables](#role-variables)\n\nThe default values for the variables are set in [`defaults/main.yml`](https://github.com/robertdebock/ansible-role-vault_agent/blob/master/defaults/main.yml):\n\n```yaml\n---\n# defaults file for vault_agent\n\n# The user that owns the Vault configuration files.\nvault_agent_user: \"vault\"\n\n# The group that owns the Vault configuration files.\nvault_agent_group: \"vault\"\n\n# The PID file for the Vault agent.\n# vault_agent_pid_file: \"./pidfile\"\n\n# The Vault address where the agent can connect to.\n# vault_agent_address: \"http://vault.example.com:8200\"\n\n# The number of times to retry connecting to Vault.\nvault_agent_retries: 5\n\n# The authentication method to use.\n# vault_agent_auto_auth:\n#   methods:\n#     - name: \"aws\"\n#       mount_path: \"auth/aws-subaccount\"\n#       config:\n#         type: \"iam\"\n#         role: \"foobar\"\n#   sinks:\n#     - name: file\n#       config:\n#         path: \"/tmp/file-foo\"\n#     - name: \"file\"\n#       wrap_ttl: \"5m\"\n#       aad_env_var: \"Test_AAD_ENV\"\n#       dh_type: \"curve25519\"\n#       dh_path: \"/tmp/file-foo-dhpath2\"\n#       config:\n#         path: \"/tmp/file-bar\"\n\n# By specifying (an empty cache configuration), the agent will store the token in the cache.\nvault_agent_cache: {}\n\n# Should this Vault offer proxy capabilties?\n# vault_agent_api_proxy:\n#   use_auto_auth_token: true\n\n# A list of listeners to configure.\n# vault_agent_listeners:\n#   - name: \"tcp\"\n#     address: \"/path/to/socket\"\n#     tls_disable: true\n#     agent_api:\n#       enable_quit: true\n#   - name: \"tcp\"\n#     address: \"127.0.0.1:8100\"\n#     tls_disable: true\n\n# A list of templates to render. The files mentioned in the source will not be placed by this role.\n# vault_agent_templates:\n#   - source: \"/etc/vault/server.key.ctmpl\"\n#     destination: \"/etc/vault/server.key\"\n#   - source: \"/etc/vault/server.crt.ctmpl\"\n#     destination: \"/etc/vault/server.crt\"\n```\n\n## [Requirements](#requirements)\n\n- pip packages listed in [requirements.txt](https://github.com/robertdebock/ansible-role-vault_agent/blob/master/requirements.txt).\n\n## [State of used roles](#state-of-used-roles)\n\nThe following roles are used to prepare a system. You can prepare your system in another way.\n\n| Requirement | GitHub | GitLab |\n|-------------|--------|--------|\n|[robertdebock.bootstrap](https://galaxy.ansible.com/robertdebock/bootstrap)|[![Build Status GitHub](https://github.com/robertdebock/ansible-role-bootstrap/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-bootstrap/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/ansible-role-bootstrap/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-bootstrap)|\n|[robertdebock.core_dependencies](https://galaxy.ansible.com/robertdebock/core_dependencies)|[![Build Status GitHub](https://github.com/robertdebock/ansible-role-core_dependencies/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-core_dependencies/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/ansible-role-core_dependencies/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-core_dependencies)|\n|[robertdebock.hashicorp](https://galaxy.ansible.com/robertdebock/hashicorp)|[![Build Status GitHub](https://github.com/robertdebock/ansible-role-hashicorp/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-hashicorp/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/ansible-role-hashicorp/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-hashicorp)|\n\n## [Context](#context)\n\nThis role is part of many compatible roles. Have a look at [the documentation of these roles](https://robertdebock.nl/) for further information.\n\nHere is an overview of related roles:\n![dependencies](https://raw.githubusercontent.com/robertdebock/ansible-role-vault_agent/png/requirements.png \"Dependencies\")\n\n## [Compatibility](#compatibility)\n\nThis role has been tested on these [container images](https://hub.docker.com/u/robertdebock):\n\n|container|tags|\n|---------|----|\n|[Debian](https://hub.docker.com/r/robertdebock/debian)|all|\n|[EL](https://hub.docker.com/r/robertdebock/enterpriselinux)|9|\n|[Fedora](https://hub.docker.com/r/robertdebock/fedora)|all|\n|[Ubuntu](https://hub.docker.com/r/robertdebock/ubuntu)|noble, jammy|\n\nThe minimum version of Ansible required is 2.12, tests have been done on:\n\n- The previous version.\n- The current version.\n- The development version.\n\nIf you find issues, please register them on [GitHub](https://github.com/robertdebock/ansible-role-vault_agent/issues).\n\n## [License](#license)\n\n[Apache-2.0](https://github.com/robertdebock/ansible-role-vault_agent/blob/master/LICENSE).\n\n## [Author Information](#author-information)\n\n[robertdebock](https://robertdebock.nl/)\n\nPlease consider [sponsoring me](https://github.com/sponsors/robertdebock).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobertdebock%2Fansible-role-vault_agent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frobertdebock%2Fansible-role-vault_agent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobertdebock%2Fansible-role-vault_agent/lists"}