This Ansible role performs a basic Vault installation, including filesystem structure and example configuration.
It can also bootstrap a minimal development or evaluation server or HA Consul-backed cluster in a Vagrant and VirtualBox based environment. See README_VAGRANT.md and the associated Vagrantfile for more details about the developer mode setup.
Brian Shumates transferred this role to @ansible-community/hashicorp-tools. This role resides on GitHub pending fixing the integration with Ansible Galaxy. To install this role create a roles/requirements.yml
file in your Ansible project folder with the following contents:
- src: https://github.com/ansible-community/ansible-vault.git
name: ansible-community.ansible-vault
scm: git
version: master
You can use git tag in the version attribute. Also you can honor its legacy name: brianshumate.ansible-vault
.
This role requires Archlinux, AmazonLinux, FreeBSD, Debian or a RHEL based Linux distribution. It might work with other software versions, but does work with the following specific software and versions:
- Ansible: 2.8.4
- Vault: 1.4.0 and above
- AlmaLinux
- 8
- 9
- AmazonLinux
- 2
- 2022
- ArchLinux
- CentOS
- 7
- 8 stream
- 9 stream
- Debian
- 9 (stretch)
- 10 (buster)
- 11 (bullseye)
- FreeBSD
- 11
- RockyLinux
- 8
- 9
- Ubuntu
- 18.04 (Bionic Beaver)
- 20.04 (Focal Fossa)
- 22.04 (Jammy Jellyfish)
Sorry, there is no planned support at the moment for Windows.
By default, this role may restart vault
service when played (when there's a
configuration change, OS Packages installed/updated)
When there's no auto-unseal setup on your cluster, the restart may lead to a situation where all Vault instances will be sealed and your cluster will be down.
To avoid this situation, the service restart by the playbook can be disabled
by using the vault_service_restart
role variable.
Setting this vault_service_restart
to false
will disable the vault
service restart by the playbook. You may have to restart the service manually
to load any new configuration deployed.
The role defines variables in defaults/main.yml
:
- Set this to true if you enable listen vault on localhost
- Default value: false
- Set this to true if you see permission errors when the vault files are downloaded and unpacked locally. This issue can show up if the role has been downloaded by one user (like root), and the installation is done with a different user.
- Default value: false
-
Version to install
- Can be overridden with
VAULT_VERSION
environment variable - Will include "+prem" if vault_enterprise_premium=True
- Will include ".hsm" if vault_enterprise_premium_hsm=True
- Can be overridden with
-
Default value: 1.5.5
- Set this to true when installing Vault Enterprise; this is not currently
possible as a "remote only" install method
- Can be overridden with
VAULT_ENTERPRISE
environment variable
- Can be overridden with
- Default value: false
- package filename
- Default value:
"vault_{{ vault_version }}_linux_amd64.zip"
- package filename
- Default value:
"vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
- Package download URL
- Default value:
"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
- Override this var if you have your zip hosted internally
- Works for enterprise installs also
- SHA summaries URL
- Override this var if you have your sha file is hosted internally
- Default value:
"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS"
- Set this to
true
when installing Vault via HashiCorp Linux repository. When set, you can also definevault_repository_key_url
andvault_repository_url
to override the default URL of the GPG key for the repository and the default URL of the repository used. - Default value: false
- Name of rhsm repo
- Set this to the name of your rhsm repo when installing Vault via a RHSM repository (RedHat Satellite/Foreman/etc.).
When set, you need make sure
vault_install_hashi_repo
is set totrue
to enable repo install. And optionally also the rhsm subscription name withvault_rhsm_subscription_name
. - Default value: null
- Name of rhsm subscription
- Set the rhsm subscription name to attach the rhsm subscription via subscription-manager.
When set, you need make sure
vault_install_hashi_repo
is set totrue
to enable repo install. And also thatvault_rhsm_repo_id
is set. - Default value: null
- Set this to
true
will download Vault binary from each target instead of localhost - Default value: false
- SHA summaries filename (included for convenience not for modification)
- Default value:
"vault_{{ vault_version }}_SHA256SUMS"
- SHA summaries filename (included for convenience not for modification)
- Will attempt to download from
vault_checksum_file_url
if not present in files/ - Default value:
"vault-enterprise_{{ vault_version }}_SHA256SUMS"
- Binary installation path
- Default value:
/usr/local/bin
- Configuration file path
- Default value:
/etc/vault.d
- Use
"{{ vault_config_path }}"
to configure vault instead of"{{ vault_main_config }}"
- default vaule: false
- Path from where plugins can be loaded
- Default value:
/usr/local/lib/vault/plugins
- List of plugins to enable (Check uner
tasks/plugins
to see supported plugins.) - For example:
vault_plugins_enable: [ 'acme', 'example' ]
- Default value:
[]
- Directory where temporary plugin zip/installation files are placed. When installation is processed remotely.
- Default value:
/usr/local/src/vault/plugins
- Directory where temporary plugin zip/installation files are placed. When installation is processed locally.
- Default value:
{{ role_path }}/files/plugins
- Whether to clean up the temporary plugin zip/installation file directory after plugin install. Warning: When plugins don't provide a version number this could cause the plugins to be downloaded every time and thus breaking idempotence.
- Default value:
false
- Data path
- Default value:
/var/vault
- Log path
- Default value:
/var/log/vault
- PID file location
- Default value:
/var/run/vault
- Whether this role should disallow Vault from writing into config and plugin path. This should be enabled to follow Production Hardening.
- Default value: false
- Should this role manage the vault user?
- Default value: true
- OS user name
- Default value: vault
- OS group name
- Default value: bin
- OS additional groups as in ansibles user module
- Default value: null
- Should this role manage the vault group?
- Default value: false
- Cluster name label
- Default value: dc1
- Datacenter label
- Default value: dc1
- Enable vault web UI
- Default value: true
- Should the playbook restart Vault service when needed
- Default value: true
- Should the playbook reload Vault service when the main config changes.
- Default value: false
- Some installations may need some time between the first Vault start
and the first restart. Setting this to a value
>0
will add a pause time after the first Vault start. - Default value: 0
- A list of tcp listeners. Each listener can define any of the listener specific variables described in further detail below.
- Default value:
vault_tcp_listeners:
- vault_address: '{{ vault_address }}'
vault_port: '{{ vault_port }}'
vault_cluster_address: '{{ vault_cluster_address }}'
# vault_proxy_protocol_behavior: '{{ vault_proxy_protocol_behavior }}'
# vault_proxy_protocol_authorized_addrs: '{{ vault_proxy_protocol_authorized_addrs }}'
vault_tls_disable: '{{ vault_tls_disable }}'
vault_tls_certs_path: '{{ vault_tls_certs_path }}'
vault_tls_private_path: '{{ vault_tls_private_path }}'
vault_tls_cert_file: '{{ vault_tls_cert_file }}'
vault_tls_key_file: '{{ vault_tls_key_file }}'
vault_tls_ca_file: '{{ vault_tls_ca_file }}'
vault_tls_min_version: '{{ vault_tls_min_version }}'
vault_tls_cipher_suites: '{{ vault_tls_cipher_suites }}'
vault_tls_require_and_verify_client_cert: '{{ vault_tls_require_and_verify_client_cert }}'
vault_tls_disable_client_certs: '{{ vault_tls_disable_client_certs }}'
# vault_x_forwarded_for_authorized_addrs: '{{ vault_x_forwarded_for_authorized_addrs }}'
# vault_x_forwarded_for_hop_skips: '{{ vault_x_forwarded_for_hop_skips }}'
# vault_x_forwarded_for_reject_not_authorized: '{{ vault_x_forwarded_for_reject_not_authorized }}'
# vault_x_forwarded_for_reject_not_present: '{{ vault_x_forwarded_for_reject_not_present }}'
- Which storage backend should be selected, choices are: raft, consul, etcd, file, s3, and dynamodb
- Default value: raft
- User-specified source directory for TLS files for storage communication
- {{ vault_tls_src_files }}
- Path to directory containing backend tls certificate files
- {{ vault_tls_certs_path }}
- Path to directory containing backend tls key files
- {{ vault_tls_private_path }}
- Specifies the path to the certificate for backend communication (if supported).
- {{ vault_tls_cert_file }}
- Specifies the path to the private key for backend communication (if supported).
- {{ vault_tls_key_file }}
- CA certificate used for backend communication (if supported). This defaults to system bundle if not specified.
- {{ vault_tls_ca_file }}
- TLS servername to use when connecting with HTTPS
- Default value: none
- Inventory group name of servers hosting the raft backend
- Default value: vault_raft_servers
- Members of the raft cluster
- Default value: hosts in
vault_raft_group_name
group - Can be used to override the behaviour of dynamically selecting all hosts in
vault_raft_group_name
- Example:
vault_raft_cluster_members: - peer: vault-host-1 api_addr: https://vault-host-1:8200 - peer: vault-host-2 api_addr: https://vault-host-2:8200 - peer: vault-host-3 api_addr: https://vault-host-2:8200
- Setting the
vault_raft_cluster_members
statically enables you to run the role against a single host (instead of the entire host group)
- Data path for Raft
- Default value: vault_data_path
- Node_id for Raft
- Default value: inventory_hostname_short
- Performance multiplier for Raft
- Default value: none
- Logs entries count left on log store after snapshot
- Default value: none
- Minimum Raft commit entries between snapshots
- Default value: none
- Maximum number of bytes for a Raft entry
- Default value: none
- Interval after which autopilot will pick up any state changes
- Default value: none
- Defines any cloud auto-join metadata. If supplied, Vault will
attempt to automatically discover peers in addition to what can
be provided via
leader_api_addr
- Default value: none
- If set to
true
, anyleader_api_addr
occurences will be removed from the configuration. Keeping this tofalse
will allowauto_join
andleader_api_addr
to coexist - Default value: false
- URI scheme to be used for
auto_join
- Default value: none (
https
is the default value set by Vault if not specified)
- Port to be used for
auto_join
- Default value: none (
8200
is the default value set by Vault if not specified)
- Backend consul template filename
- Default value:
backend_consul.j2
- host:port value for connecting to Consul HA backend
- Default value: 127.0.0.1:8500
- Scheme for Consul backend
- Supported values: http, https
- Default value: http
- Name of Vault's Consul K/V root path
- Default value: vault
- Name of the Vault service to register in Consul
- Default value: vault
- ACL token for accessing Consul
- Default value: none
- Address of etcd storage
- Default value: 127.0.0.1:2379
- API version
- Default value: v3
- Path for Vault storage
- Default value: /vault/
- Discovery server
- Default value: none
- Discovery server name
- Default value: none
- Use storage for High Availability mode
- Default value: false
- Use etcdsync
- Default value: true
- Username
- Default value: none
- Password
- Default value: none
- Request timeout
- Default value: "5s"
- Lock timeout
- Default value: "15s"
- Backend file template filename
- Default value:
backend_file.j2
- Backend raft integrated storage template filename
- Default value:
vault_backend_raft.j2
- Identifier for the node in the integrated storage Raft cluster
- Default value: "raft_node_1"
- Details of all the nodes are known beforehand
- Default value: "[]"
- Address of a possible leader node.
- Default value: ""
- File path to the CA cert of the possible leader node.
- Default value: ""
- File path to the client certificate for the follower node to establish client authentication with the possible leader node.
- Default value: ""
- File path to the client key for the follower node to establish client authentication with the possible leader node.
- Default value: ""
- CA cert of the possible leader node.
- Default value: ""
- Client certificate for the follower node to establish client authentication with the possible leader node.
- Default value: ""
- Client key for the follower node to establish client authentication with the possible leader node.
- Default value: ""
For additional documentation for the various options available, see the Vault documentation for the DynamoDB storage backend.
- Specifies an alternative DynamoDB endpoint.
- Default value: none
- Can be overridden with the environment variable
AWS_DYNAMODB_ENDPOINT
.
- Can be overridden with the environment variable
- Name of the DynamoDB table used to store Vault data.
- If the table does not already exist, it will be created during initialization.
- Default value:
"vault-dynamodb-backend"
- Can be overridden with the environment variable
AWS_DYNAMODB_TABLE
.
- Can be overridden with the environment variable
- Whether High Availability is enabled for this storage backend.
- Default value:
"false"
- Can be overridden with the environment variable
DYNAMODB_HA_ENABLED
.- The missing
AWS_
prefix is not a typo, this particular variable is not prefixed in both the Vault documentation and source code.
- The missing
- Can be overridden with the environment variable
- The maximum number of concurrent requests.
- Default value:
"128"
- The AWS region.
- Default value:
us-east-1
- Can be overridden with the environment variable
AWS_DEFAULT_REGION
- Can be overridden with the environment variable
- Number of reads per second to provision for the table.
- Only used during table creation, has no effect if the table already exists.
- Default value:
5
- Can be overridden with the environment variable
AWS_DYNAMODB_READ_CAPACITY
.
- Can be overridden with the environment variable
- Number of writes per second to provision for the table.
- Only used during table creation, has no effect if the table already exists.
- Default value:
5
- Can be overridden with the environment variable
AWS_DYNAMODB_WRITE_CAPACITY
.
- Can be overridden with the environment variable
- AWS access key to use for authentication.
- Default value: none
- Can be overridden with the environment variable
AWS_ACCESS_KEY_ID
- Can be overridden with the environment variable
- Leaving both this and
vault_dynamodb_secret_key
blank will cause Vault to attempt to retrieve the credentials from the AWS metadata service.
- AWS secret key used for authentication.
- Default value: none
- Can be overridden with the environment variable
AWS_SECRET_ACCESS_KEY
- Can be overridden with the environment variable
- Leaving both this and
vault_dynamodb_access_key
blank will cause Vault to attempt to retrieve the credentials from the AWS metadata service.
- AWS session token.
- Default value: none
- Can be overridden with the environment variable
AWS_SESSION_TOKEN
- Can be overridden with the environment variable
- Specifies the name of the bucket to use for storage.
- Default value: none
- Specifies if high availability mode is enabled.
- Default value:
"false"
- Specifies the maximum size (in kilobytes) to send in a single request. If set to 0, it will attempt to send the whole object at once, but will not retry any failures.
- Default value:
"8192"
- Specifies the maximum number of parallel operations to take place.
- Default value:
"128"
- Copy GCP SA credentials file from Ansible control node to Vault server. When not
true
and no value is specified forvault_gcs_credentials_src_file
, the default instance service account credentials are used. - Default value:
"false"
- Path to GCP SA credential on Ansible control node.
- Default value: none
- Path to SA GCP credential on Vault server.
- Default value:
{{ vault_home }}/{{ vault_gcs_credentials_src_file | basename}}"
For additional information on the various options, see the Vault documentation for Consul service registration. Note that this is only available starting at Vault version 1.4.
- Enable Consul service registration
- Default value: false
- Consul service registration template filename
- Default value:
service_registration_consul.hcl.j2
- host:port value for connecting to Consul service registration
- Default value: 127.0.0.1:8500
- Specifies the check interval used to send health check information back to Consul.
- Default value: 5s
- Specifies whether Vault should register itself with Consul.
- Default value: false
- Scheme for Consul service registration
- Supported values: http, https
- Default value: http
- Name of the Vault service to register in Consul
- Default value: vault
- Specifies a comma-separated list of tags to attach to the service registration in Consul.
- Default value: ""
- Specifies a service-specific address to set on the service registration in Consul.
- Default value: nil
- ACL token for registering with Consul service registration
- Default value: none
- path to tls certificate
- default value
{{ vault_tls_certs_path }}
- path to tls key
- default value
{{ vault_tls_private_path }}
- CA certificate filename
- Default value:
{{ vault_tls_ca_file }}
- Server certificate
- Default value:
{{ vault_tls_cert_file }}
- Server key
- Default value:
{{ vault_tls_key_file }}
- Minimum acceptable TLS version
- Default value:
{{ vault_tls_min_version }}
- Disable verification of TLS certificates. Using this option is highly discouraged.
- Default value: false
For additional information on the various options, see the Vault documentation for Kubernetes service registration. Note that this is only available starting at Vault version 1.4.
- Enable Kubernetes service registration
- Default value: false
- Kubernetes service registration template filename
- Default value:
service_registration_kubernetes.hcl.j2
- Kubernetes namespace to register
- Default value: vault
- Kubernetes pod name to register
- Default value: vault
- Log level
- Supported values: trace, debug, info, warn, err
- Default value: info
- Requires Vault version 0.11.1 or higher
- Network interface
- Can be overridden with
VAULT_IFACE
environment variable
- Can be overridden with
- Default value: eth1
- Primary network interface address to use
- Default value:
"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"
- TCP port number to on which to listen
- Default value: 8200
- Configures the maximum possible lease duration for tokens and secrets.
- Default value: 768h (32 days)
- Configures the default lease duration for tokens and secrets.
- Default value: 768h (32 days)
- Main configuration file name (full path)
- Default value:
"{{ vault_config_path }}/vault_main.hcl"
- Vault main configuration template file
- Default value: vault_main_configuration.hcl.j2
- Vault custom configuration
- Default value: none
- Address to be used as the proxy for HTTP and HTTPS requests unless overridden by
vault_https_proxy
orvault_no_proxy
- Default value:
""
- Address to be used as the proxy for HTTPS requests unless overridden by
vault_no_proxy
- Default value:
""
- Comma separated values which specify hosts that should be exluded from proxying. Follows golang conventions
- Default value:
""
- Address to bind to for cluster server-to-server requests
- Default value:
"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1}}"
- Address to advertise to other Vault servers in the cluster for request forwarding
- Default value:
"{{ vault_protocol }}://{{ vault_cluster_address }}"
- HA Client Redirect address
- Default value:
"{{ vault_protocol }}://{{ vault_redirect_address or hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ vault_port }}"
- vault_redirect_address is kept for backward compatibility but is deprecated.
- flag for disabling the health check on vaults api address
- Default value:
false
- Disable HA clustering
- Default value: false
- Disable Certificate Validation for API reachability check
- Default value: true
- May be one of
use_always
,allow_authorized
, ordeny_unauthorized
- Enables PROXY protocol for listener.
- If enabled and set to something other than
use_always
, you must also set- vault_proxy_protocol_authorized_addrs
- Comma-separated list of source IPs for which PROXY protocol information will be used.
- Default value: ""
- Path to TLS certificates
- Default value
/etc/vault/tls
- Path to TLS keys
- Default value
/etc/vault/tls
- Disable TLS
- Can be overridden with
VAULT_TLS_DISABLE
environment variable
- Can be overridden with
- Default value: 1
- Enable TLS Gossip to storage (if supported)
- Default value: 0
- User-specified source directory for TLS files
- Override with
VAULT_TLS_SRC_FILES
environment variable
- Override with
- Default value:
{{ role_path }}/files
- CA certificate filename
- Override with
VAULT_TLS_CA_CRT
environment variable
- Override with
- Default value:
ca.crt
- Client CA certificate filename
- Default value: ``
- Server certificate
- Override with
VAULT_TLS_CERT_FILE
environment variable
- Override with
- Default value:
server.crt
- Server key
- Override with
VAULT_TLS_KEY_FILE
environment variable
- Override with
- Default value:
server.key
- Minimum acceptable TLS version
- Can be overridden with
VAULT_TLS_MIN_VERSION
environment variable
- Can be overridden with
- Default value: tls12
- Comma-separated list of supported ciphersuites
- Default value: ""
- Require clients to present a valid client certificate
- Default value: false
- Disable requesting for client certificates
- Default value: false
- Copy TLS files from src to dest
- Default value: true
- Copy from remote source if TLS files are already on host
- Default value: false
- Comma-separated list of source IP CIDRs for which an X-Forwarded-For header will be trusted.
- Enables X-Forwarded-For support.
- If enabled, you may also set any of the following parameters:
- vault_x_forwarded_for_hop_skips with a format of "N" for the number of hops to skip
- vault_x_forwarded_for_reject_not_authorized with true/false
- vault_x_forwarded_for_reject_not_present with true/false
- Default value: ""
- BSD init template file
- Default value:
vault_service_bsd_init.j2
- SysV init template file
- Default value:
vault_sysvinit.j2
- Debian init template file
- Default value:
vault_service_debian_init.j2
- Systemd service template file
- Default value:
vault_service_systemd.j2
- Systemd service unit name
- Default value: "vault"
- Enable Vault telemetry
- If enabled, you must set at least one of the following parameters according to your telemetry provider:
- vault_statsite_address with a format of "FQDN:PORT"
- vault_statsd_address with a format of "FQDN:PORT"
- vault_prometheus_retention_time e.g: "30s" or "24h"
- If enabled, optionally set vault_telemetry_disable_hostname to strip the hostname prefix from telemetry data
- Default value: false
- Configure unauthenticated metrics access
- Default value: false
- Specifies the interval at which high-cardinality usage data is collected, such as token counts, entity counts, and secret counts.
- Default value: undefined
The vault
binary works on most Linux platforms and is not distribution
specific. However, some distributions require installation of specific OS
packages with different naming, so this role was built with support for
popular Linux distributions and defines these variables to deal with the
differences across distributions:
- Vault package filename
- Default value:
{{ vault_version }}_linux_amd64.zip
- Vault package download URL
- Default value:
{{ vault_zip_url }}
- List of OS packages to install
- Default value: list
- Vault package filename
- Default value:
"{{ vault_version }}_linux_amd64.zip"
- Vault package download URL
- Default value:
"{{ vault_zip_url }}"
- Vault download SHA256 summary
- Default value: SHA256 summary
- List of OS packages to install
- Default value: list
- Vault package filename
- Default value:
"{{ vault_version }}_linux_amd64.zip"
- Vault package download URL
- Default value:
"{{ vault_zip_url }}"
- Vault package SHA256 summary
- Default value: SHA256 summary
- List of OS packages to install
- Default value: list
- Vault package filename
- Default value:
"{{ vault_version }}_linux_amd64.zip"
- Vault package download URL
- Default value:
"{{ vault_zip_url }}"
- Vault package SHA256 summary
- Default value: SHA256 summary
- Enable log to
vault_log_path
- Default value: false
- Enable logrotation for systemd based systems
- Default value: false
- Determines how frequently to rotate vault logs
- Default value: 7
- Logrotate template file
- Default value:
vault_logrotate.j2
- List of OS packages to install
- Default value: list
NOTE: Read these before executing the role to avoid certain frequently encountered issues which are resolved by installing the correct dependencies.
Ansible requires GNU tar and this role performs some local use of the
unarchive module, so ensure that your system has gtar
installed.
The role depends on python-netaddr
so:
pip install netaddr
on the Ansible control host prior to executing the role.
Basic installation is possible using the included site.yml
playbook:
ansible-playbook -i hosts site.yml
You can also pass variables in using the --extra-vars
option to the
ansible-playbook
command:
ansible-playbook -i hosts site.yml --extra-vars "vault_datacenter=maui"
Specify a template file with a different backend definition
(see templates/backend_consul.j2
):
ansible-playbook -i hosts site.yml --extra-vars "vault_backend_file=backend_file.j2"
You need to make sure that the template file backend_file.j2
is in the
role directory for this to work.
See examples/README_VAGRANT.md
for details on quick Vagrant deployments
under VirtualBox for testing, etc.
example playbook for a file based vault instance.
- hosts: all
gather_facts: True
become: true
vars:
vault_backend: file
vault_cluster_disable: True
vault_log_level: debug
roles:
- vault
The role can install Vault Enterprise based instances.
Place the Vault Enterprise zip archive into {{ role_path }}/files
and set
vault_enterprise: true
or use the VAULT_ENTERPRISE="true"
environment
variable. Attempts to download the package from vault_zip_url
if zip is not found in files/.
- Set to True if using premium binary. Basically just includes "+prem" in "vault_version" var
- Default value: False
The role can configure HSM based instances. Make sure to reference the HSM support page and take notice of the behavior changes after HSM is installed.
- Set to True if using premium hsm binary. Basically just includes ".hsm" in "vault_version" var
- Default value: false
- Manage enterprise license file with this role. Set to
true
to usevault_license_path
orvault_license_file
. - Default value: false
- Path to enterprise license on the remote host (destination path).
license_path
in the main configuration file. Only used ifvault_configure_enterprise_license: true
. - Default value:
{{ vault_config_path }}/license.hclic
- Path to enterprise license on the Ansible controller (source file for upload). Upload skipped when empty or undefined. Only used if
vault_configure_enterprise_license: true
. - Default value: ""
- Set which cryptography app to use.
- Default value: pkcs11
NOTE: This seal will be migrated to the
pkcs11
seal and made consistent with the other seal types with respect to breaking naming changes soon.
- Backend seal template filename
- Default value:
vault_backend_seal.j2
- Set to the absolute path of the HSM library vault will call
- Default value:
/lib64/hsmlibrary.so
- The PIN for login. May also be specified by the VAULT_HSM_PIN environment variable. If set via the environment variable, Vault will obfuscate the environment variable after reading it, and it will need to be re-set if Vault is restarted.
- Default value: 12345
- The label of the key to use. If the key does not exist and generation is enabled, this is the label that will be given to the generated key. May also be specified by the VAULT_HSM_KEY_LABEL environment variable.
- Default value: ''
- The label of the HMAC key to use. If the key does not exist and generation is enabled, this is the label that will be given to the generated HMAC key. May also be specified by the VAULT_HSM_HMAC_KEY_LABEL environment variable.
- Default value: ''
- If no existing key with the label specified by key_label can be found at Vault initialization time, instructs Vault to generate a key. This is a boolean expressed as a string (e.g. "true"). May also be specified by the VAULT_HSM_GENERATE_KEY environment variable. Vault may not be able to successfully generate keys in all circumstances, such as if proprietary vendor extensions are required to create keys of a suitable type.
- Default value: false
- Do not change this unles you know you need to. The encryption/decryption mechanism to use, specified as a decimal or hexadecimal (prefixed by 0x) string. May also be specified by the VAULT_HSM_MECHANISM environment variable.
- Default value: ''
- Example for RSA: 0x0009
- The slot token label to use. May also be specified by the VAULT_HSM_TOKEN_LABEL environment variable. This label will only be applied when
vault_softcard_enable
is true. - Default value: ''
- Enable if you plan to use a softcard on your HSM.
- Default value: false
- The slot number to use, specified as a string (e.g. "0"). May also be specified by the VAULT_HSM_SLOT environment variable. This label will only be applied when
vault_softcard_enable
is false (default). - Default value: 0
- Set to True to include
entropy
stanza which enables entropy augmentation for supported seals. Supported Seal types include PKCS11, AWS KMS, and Vault Transit. - Default value: false
The following stanza will be included in the hcl main configuration file if vault_entropy_seal=true
:
entropy "seal" {
mode = "augmentation"
}
This feature enables operators to delegate the unsealing process to Google Key Management System Cloud to ease operations in the event of partial failure and to aid in the creation of new or ephemeral clusters.
This Auto-unseal mechanism is Open Source in Vault 1.0 but would require Enterprise binaries for any earlier version.
- Set to True to enable Google Cloud KMS Auto-Unseal.
- Default value: false
- Backend seal template filename
- Default value:
vault_seal_gcpkms.j2
- GCP Project where the key reside.
- Default value: ''
- Copy GCP SA credentials file from Ansible control node to Vault server. When not
true
and no value is specified forvault_gkms_credentials_src_file
, the default instance service account credentials are used. - Default value:
"true"
- User-specified source directory for GCP Credential on Ansible control node.
- Either this or vault_gkms_credentials_content must be set if vault_gkms enabled.
- Default value: ''
- User-specified GCP Credential file content.
- Either this or vault_gkms_credentials_src_file must be set if vault_gkms enabled.
- Default value: ''
- Path to GCP credential on Vault server.
- Default value:
/home/vault/vault-kms.json
- GCP Region where the key reside.
- Default value: global
- The id of the Google Cloud Platform KeyRing to which the key shall belong.
- Default value: vault
- The CryptoKey's name. A CryptoKey's name must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}
- Default value: vault_key
This feature enabled operators to delegate the unsealing process to OCI KMS to ease operations in the event of a partial failure and to aid in the creation of new or ephemeral clusters.
- Set to true to enable OCI KMS Auto-unseal.
- Default value: false
- Backend seal template filename.
- Default value:
vault_seal_ocikms.j2
- Specifies if using API key to authenticate to OCI KMS service.
- Default value: false
- The OCI KMS key ID to use.
- Default value: VAULT_OCIKMS_SEAL_KEY_ID
- The OCI KMS cryptographic endpoint (or data plane endpoint) to be used to make OCI KMS encryption/decryption requests.
- Default value: VAULT_OCIKMS_CRYPTO_ENDPOINT
- The OCI KMS management endpoint (or control plane endpoint) to be used to make OCI KMS key management requests.
- Default value: VAULT_OCIKMS_MANAGEMENT_ENDPOINT
This enables Vault to use another Vault instance for the unseal process using its transit secret engine
- Set to true to enable Vault Transit Auto-unseal
- Default value:
false
- Backend seal template filename
- Default value:
vault_seal_transit.j2
- Destination configuration file
- Default value:
vault_transit.hcl
- Vault Address of the instance used for auto unseal
- Default value: ``, this variable is mandatory if
vault_transit: true
- Token used to authenticate to the external vault instance
- Default value: ``, this variable is mandatory if
vault_transit: true
- Wether to disable automatic token renewal
- Default value:
false
- Name of the key used for auto unseal
- Default value:
autounseal
- Path where the transit engine is mounted to
- Default value:
transit/
- Namespace of the mounted transit engine
- Default value: ``, omitted per default
- CA Certificate of the external vault instance
- Default value:
ca_cert.pem
, omitted ifvault_transit_tls_skip_verify: true
- Client Certificate of the external vault instance
- Default value:
client_cert.pem
, omitted ifvault_transit_tls_skip_verify: true
- Client Key of the external vault instance
- Default value:
ca_cert.pem
, omitted ifvault_transit_tls_skip_verify: true
- TLS Servername of the external vault instance
- Default value: ``, omitted per default
- Wether to disable TLS certificate verification
- Default:
false
, can also be set viaVAULT_SKIP_VERIFY
This feature enabled operators to delegate the unsealing process to AWS KMS to ease operations in the event of a partial failure and to aid in the creation of new or ephemeral clusters.
- Set to true to enable AWS KMS Auto-unseal
- Default value: false
- Backend seal template filename
- Default value:
vault_seal_awskms.j2
- Which AWS KMS region to use
- Default value: us-east-1
- The AWS Access Key to use for talking to AWS KMS
- Default value: AWS_ACCESS_KEY_ID
- The AWS Secret Key ID to use for takling to AWS KMS
- Default value: AWS_SECRET_ACCESS_KEY
- The KMS Key ID to use for AWS KMS
- Default value: VAULT_AWSKMS_SEAL_KEY_ID
- The endpoint to use for KMS
- Default value: AWS_KMS_ENDPOINT
This feature enabled operators to delegate the unsealing process to AZURE Key Vaultto ease operations in the event of a partial failure and to aid in the creation of new or ephemeral clusters.
- Set to true to enable AZURE Key Vault Auto-unseal
- Default value: false
- Backend seal template filename
- Default value:
vault_seal_azurekeyvault.j2
- Application ID related to Service Principal Name for the Application used to connect to Azure
- Default value: EXAMPLE_CLIENT_ID
- Client Secret is the secret key attached to your Application
- Default value: EXAMPLE_CLIENT_SECRET
- Tenant ID is your Directory ID in Azure
- Default value: EXAMPLE_TENANT_ID
- The name of the Vault which hosts the key
- Default value: vault
- The key hosted in the Vault in Azure Key Vault
- Default value: vault_key
Installs vault-acme plugin, also enables the plugin if authenticated against vault (VAULT_ADDR
, VAULT_TOKEN
env).
- Setting this to
remote
will download the acme plugin to each target instead of copying it from localhost. - Choices: remote / local
- Default value:
remote
- Whether to install vault acme sidecar for
HTTP-01
/TLS_ALPN_01
challenges in addition to DNS-01. - Default value:
false
- Version of the acme plugin to install, can be set to
latest
for obtaining the latest available version. - Default value:
latest
BSD-2-Clause
Special thanks to the folks listed in CONTRIBUTORS.md for their contributions to this project.