Stage 4 · Provision
Secrets & Security
External Secret Stores
HashiCorp Vault, cloud secret managers, and lookup plugins.
Why External Secret Stores?
External secret stores centralize secret management, enable audit trails, support rotation, and integrate with RBAC. Ansible retrieves secrets at runtime instead of storing them in files.
HashiCorp Vault
- name: Get secret from Vault
hosts: webservers
vars:
vault_token: "{{ lookup('env', 'VAULT_TOKEN') }}"
tasks:
- name: Retrieve database password
ansible.builtin.debug:
msg: "DB password: {{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/db:password url=http://vault:8200 token=' + vault_token) }}"
- name: Use secret in a task
ansible.builtin.template:
src: db.conf.j2
dest: /etc/app/db.conf
vars:
db_password: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/db:password url=http://vault:8200 token=' + vault_token) }}"The hashi_vault lookup plugin fetches secrets from Vault at runtime. The secret is never stored in a file.
AWS Secrets Manager
- name: Get AWS secret
hosts: webservers
tasks:
- name: Retrieve API key
ansible.builtin.set_fact:
api_key: "{{ lookup('amazon.aws.aws_secret', 'secret=production/api-key:api_key region=us-east-1') }}"
- name: Deploy config with secret
ansible.builtin.template:
src: app.conf.j2
dest: /etc/app/config.confThe aws_secret lookup plugin retrieves secrets from AWS Secrets Manager. It uses IAM roles for authentication — no hardcoded credentials.
Azure Key Vault
- name: Get Azure secret
hosts: webservers
tasks:
- name: Retrieve connection string
ansible.builtin.debug:
msg: "{{ lookup('community.general.azure_keyvault_secret', 'vault_url=https://myvault.vault.azure.net secret_name=database-connection-string') }}"Azure Key Vault lookup requires authentication via service principal or managed identity. Credentials come from environment variables or the instance metadata service.
Lookup Plugins
| Plugin | Source | Use Case |
|---|---|---|
| community.hashi_vault.hashi_vault | HashiCorp Vault | Self-hosted secret management |
| amazon.aws.aws_secret | AWS Secrets Manager | Cloud-native secrets |
| community.general.azure_keyvault_secret | Azure Key Vault | Azure environments |
| community.google.cloud secrets manager | GCP Secret Manager | Google Cloud |
| community.general.consul_kv | Consul KV | Service mesh secrets |
External secret stores retrieve secrets only when needed. They are never written to disk or stored in variables files. This reduces the attack surface significantly.
Lookup plugins fetch secrets on every play. For performance, cache the result in a variable but be aware of the security trade-off. Use short-lived Vault tokens and rotate frequently.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.