An Ansible Playbook to renew a HashiCorp Vault token using the REST API
- Create a vault.yml file to pass the extra vars to the playbook. The vault.yml file should look like this:
vault_address: "https://vault.example.com:8200"
vault_token: "s.1234567890"- Encrypt the vault.yml file using ansible-vault:
ansible-vault encrypt vault.ymlYou can also pass the extra vars directly to the playbook using the -e flag. Or if running in AAP, you can attach them to the job template.
- Run the playbook:
ansible-playbook renew.yml -e @vault.yml --ask-vault-passTo run on Ansible Automation Platform without a custom credential type:
- Create a new job template with
renew.ymlas the playbook - Add
vault_addressas an extra var and set the default value appropriately - Add a survey question (type: password) that assigns it's value to
vault_tokenand set the default value appropriately (this will ensure the token is encrypted) - Set a schedule for the job template to run on the desired interval
Alternatively, you can create a custom credential type to store the vault token and address. This will allow you to avoid using a survey and will allow you to store the token securely in the AAP credential store. Have the credential type contain extra vars for vault_address and vault_token and ensure the token value is encrypted. Then, create a new credential with the custom credential type and assign it to the job template.