In this post I'll go over setting up AWX to use HashiCorp vault.

Today I’m going to show you how to use vault that we setup in the last blog.  If you missed the Vault setup you can find it here.

HashiCorp Vault
Vault by HashiCorpVault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, auditing, and provides secrets as a service through a unified API.Vault by HashiCorp […

Don’t worry, this will be super easy, barely an inconvenience.

First use the root token to login to the UI of vault.  This should be something like http://X.X.X.X:8200

Once you are logged in, we need to do a few things.  I’m going to show you how to do them in the UI and the CLI commands to do them if you don’t want to use the UI.

First the UI way.

You should land on the Secrets Engine page upon login.  Click the Enable new engine in the top right.

We want to enable KV.  As you can see there are several more and I’ll talk about them later.  After selecting KV, hit next.

Leave the defaults and hit Enable Engine.

The CLI way

vault login
(paste root token)
vault secrets enable -version=2 kv
Success! Enabled the kv secrets engine at: kv/

Now let’s store a credential.  Again, I’ll show you how to do this in the UI and CLI

The UI way

On the Secrets tab select kv

Click Create secret in the right corner

For path for this secret, we are going to enter “AnsibleSSH”

Next, in Version data we are going to put the username and password.

For Key, enter username and in the value put the username, in my case svcansible

Click Add to the right

This time enter password for the key and your password in the value, in my case Password@1

Click Save

The CLI way

vault kv put kv/AnsibleSSH username=svcansible password=Password@1
To view credential
vault kv get kv/AnsibleSSH
====== Metadata ======
Key              Value
---              -----
created_time     2020-03-15T08:28:05.683171052Z
deletion_time    n/a
destroyed        false
version          1

====== Data ======
Key         Value
---         -----
password    Password@1
username    svcansible

Now we need to create a policy and a token for ansible to use.  I’m going to create a policy that only gives ansible the ability to read the secret and not update it.  You can give it update and create if you plan on using ansible to write your secrets.  This is something I’ll be showing in another post.

The UI way

Click Policies on the top menu, then select Create ACL Policy

For the name, lets name it ansiblereadonly

The policy should look like this

path "kv/*" {
	capabilities = ["read", "list"]
path "kv/AnsibleSSH" {
	capabilities = ["read", "list"]

Click create policy

The CLI way

Create a file called ansiblereadonly.hcl and paste the following
vi ansiblereadonly.hcl
path "kv/*" {
	capabilities = ["read", "list"]
path "kv/AnsibleSSH" {
	capabilities = ["read", "list"]

Now run this:
vault policy write ansiblereadonly ansiblereadonly.hcl
Success! Uploaded policy: ansiblereadonly

Now we need to create the token that ansible will use to access the secrets and tie it to this policy we just made.

New tokens can only be made with the CLI as of this writing.

vault token create -policy=ansiblereadonly
Key                  Value
---                  -----
token                s.z5zGhwC7fNhAbO4dkjvocU1m
token_accessor       9EMmAT8wEMzacOC51RKd4iML
token_duration       10h
token_renewable      true
token_policies       ["ansiblereadonly" "default"]
identity_policies    []
policies             ["ansiblereadonly" "default"]

Now let’s head over to AWX and get it setup.  Once you are logged into AWX go to credentials.

Add a new credential, Name it Vault-Lookup, for the Credential type, select “HashiCorp Vault Secret Lookup”

In the Server URL put the url to your Vault server

In the Token field, put the token we just generated.

Set the API version to V2.

Click TEST in the bottom right.  Fill in the form with the following values

If you setup everything correctly you should see a green test passed in the top right corner

Now lets setup AWX to pull the Ansible username and password from vault.  Go back to Credentials and create a new credential.  Call it Ansible-Vault.  Select the Credential type as machine.

Now comes the magic, click the little magnifying glass under username.

Select the radio button for Vault-Lookup and click Next.

Fill in the form with the following fields


Click test and you should get the green success in the top right corner.  If you do click Ok.

Now let’s do the password.  Select the magnifying glass under password.

Select the radio button for Vault-Lookup and click Next.

Fill in the form as follows


Test again, and you should receive the green success again. Click OK.  Now save the credential at the bottom.

That is, it.  You are now pulling the credentials from vault.  You can update the credentials in vault and not have to do anything in AWX, it will simply pull the new value.

I made a little playbook to show it getting the values from vault.  The playbook can be found here:

Contribute to glitchv0/HCVault-AWX development by creating an account on GitHub.

Setup your template in AWX like this:

You will have to connect to a remote host and the username and password you have in vault will have to be correct for the host you are connecting to.  If you do have everything setup correctly you should get something like this.

In my next blog post I’ll go over more fun things with vault.  I’m also working on another post to setup vault through ansible and the possibly doing it with docker.

Feel free to contact me

If you’d like to get in touch with me with questions or comments about anything I talk about feel free to reach out to me. You can email me or send me a DM on twitter. blog [@] (remove [], trying to avoid spambots) Twitter: