Tutorial: Use Azure Key Vault to store VM secrets with Ansible
In this quickstart, you'll create and retrieve secrets from Azure key vault with Ansible.
Ansible 2.9 (or later) is required to run the sample playbooks in this article.
In this article, you learn how to:
- Create an Azure key vault instance
- Create a secret store in Azure key vault
- Get secrets from Azure key vault with Ansible
- Azure subscription: If you don't have an Azure subscription, create a free account before you begin.
- Azure service principal: Create a service principal, making note of the following values: appId, displayName, password, and tenant.
Install Ansible: Do one of the following options:
- Install and configure Ansible on a Linux virtual machine
- Configure Azure Cloud Shell
Create an Azure key vault
Ansible needs a resource group to deploy your resources in.
Create an Ansible playbook named
add the following task to create a resource group:--- - name: Create Azure key vault hosts: localhost connection: local tasks: - name: Create resource group azure_rm_resourcegroup: name: ansible-kv-test-rg location: eastus
Define the required variables for the tenant ID, service principal object ID, and vault name.
--- vars: tenant_id: <tenantId> object_id: <servicePrincipalObjectId> vault_name: <vaultName>
, and<vaultName>
with the appropriate values. The objectId is used to grant access to secrets within the key vault.key point:
- Azure key vault names must be globally universally unique. The key vault and keys/secrets inside it are accessed via
- Azure key vault names must be globally universally unique. The key vault and keys/secrets inside it are accessed via
Configure the Azure key vault instance by adding the
task.--- - name: Create key vault instance azure_rm_keyvault: resource_group: ansible-kv-test-rg vault_name: "{{ vault_name }}" enabled_for_deployment: yes vault_tenant: "{{ tenant_id }}" sku: name: standard access_policies: - tenant_id: "{{ tenant_id }}" object_id: "{{ object_id }}" secrets: - get - list - set - delete
Run the
playbook.ansible-playbook create_kv.yml
PLAY [localhost] ******************************************************************************************************* TASK [Gathering Facts] ************************************************************************************************* ok: [localhost] TASK [Create resource group] ******************************************************************************************* ok: [localhost] TASK [Create key vault instance] ************************************************************************************ ok: [localhost] PLAY RECAP ************************************************************************************************************* localhost : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Complete create Azure key vault playbook
This section lists the entire sample Ansible playbook for creating an Azure key vault.
- hosts: localhost
connection: local
tenant_id: <tenantId>
object_id: <servicePrincipalObjectId>
vault_name: <vaultName>
- name: Create resource group
name: ansible-kv-test-rg
location: eastus
- name: Create instance of Key Vault
resource_group: ansible-kv-test-rg
vault_name: "{{ vault_name }}"
enabled_for_deployment: yes
vault_tenant: "{{ tenant_id }}"
name: standard
- tenant_id: "{{ tenant_id }}"
object_id: "{{ object_id }}"
- get
- list
- set
- delete
Create a secret in key vault
Before the secret can be created, you'll need the keyvault URI.
Create another playbook named
. Copy the following code into the playbook:--- - hosts: localhost connection: local tasks: - name: Get Key Vault by name azure_rm_keyvault_info: resource_group: ansible-kv-test-rg name: <vaultName> register: keyvault - name: set KeyVault uri fact set_fact: keyvaulturi="{{ keyvault['keyvaults'][0]['vault_uri'] }}" - name: Create a secret azure_rm_keyvaultsecret: secret_name: adminPassword secret_value: <secretValue> keyvault_uri: "{{ keyvaulturi }}"
with the name of your key vault name and<secretValue>
with the value for the secret.Key point:
- The
modules registers the key vault URI as a variable. That variable is then passed to theazure_rm_keyvaultsecret
module to create the secret.
- The
Run the
playbook.ansible-playbook create_kv_secret.yml
PLAY [localhost] ******************************************************************************************************* TASK [Gathering Facts] ************************************************************************************************* ok: [localhost] TASK [Get Key Vault by name] ******************************************************************************************* ok: [localhost] TASK [set KeyVault uri fact] ******************************************************************************************* ok: [localhost] TASK [Create a secret] ************************************************************************************************* ok: [localhost] PLAY RECAP ************************************************************************************************************* localhost : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Get secrets from key vault
Secrets stored in Azure key vault can be used to populate Ansible variables.
Create a new playbook called
to retrieve key vault secrets with Ansible.Ansible 2.9 with azure_preview_modules
--- - hosts: localhost connection: local roles: - { role: azure.azure_preview_modules } vars: tenant_id: <tenantId> vault_name: <vaultName> secret_name: adminPassword client_id: <servicePrincipalApplicationId> client_secret: <servicePrincipalSecret> tasks: - name: Get Key Vault by name azure_rm_keyvault_info: resource_group: ansible-kv-test-rg name: "{{ vault_name }}" register: keyvault - name: Set key vault URI fact set_fact: keyvaulturi="{{ keyvault['keyvaults'][0]['vault_uri'] }}" - name: Set key vault secret fact set_fact: secretValue={{ lookup('azure_keyvault_secret',secret_name,vault_url=keyvaulturi, client_id=client_id, secret=client_secret, tenant_id=tenant_id) }} - name: Output key vault secret debug: msg: "{{ secretValue }}"
, and<servicePrincipalSecret>
with the appropriate values.To learn more about
, see the Ansible Galaxy page.Ansible 2.10 with azure.azcollection
--- - hosts: localhost connection: local collections: - azure.azcollection vars: vault_name: ansible-kv-test-01 secret_name: adminPassword tasks: - name: Get Key Vault by name azure_rm_keyvault_info: resource_group: ansible-kv-test-rg name: "{{ vault_name }}" register: keyvault - name: Set key vault URI fact set_fact: keyvaulturi="{{ keyvault['keyvaults'][0]['vault_uri'] }}" - name: Get secret value azure_rm_keyvaultsecret_info: vault_uri: "{{ keyvaulturi }}" name: "{{ secret_name }}" register: kvSecret - name: set secret fact set_fact: secretValue="{{ kvSecret['secrets'][0]['secret'] }}" - name: Output key vault secret debug: msg="{{ secretValue }}"
with the appropriate value.To learn more about
, see Ansible collection for Azure.Run the
playbook.ansible-playbook get-secret-value.yml
TASK [Output key vault secret] ************************************************* ok: [localhost] => { "msg": "<plainTextPassword>" }
Confirm the output that replaced
is the plain text value of the secret previously created in Azure key vault.
Complete sample Ansible playbook
This section lists the entire sample Ansible playbook for configuring an Azure Windows VM using a key vault secret.
- name: Create Azure VM
hosts: localhost
connection: local
gather_facts: false
- azure.azcollection
vault_uri: <key_vault_uri>
secret_name: <key_vault_secret_name>
- name: Get latest version of a secret
vault_uri: "{{ vault_uri }}"
name: "{{ secret_name }}"
register: kvSecret
- name: Set secret fact
set_fact: secret_value="{{ kvSecret['secrets'][0]['secret'] }}"
- name: Create resource group
name: myResourceGroup
location: eastus
- name: Create virtual network
resource_group: myResourceGroup
name: vNet
address_prefixes: ""
- name: Add subnet
resource_group: myResourceGroup
name: subnet
address_prefix: ""
virtual_network: vNet
- name: Create public IP address
resource_group: myResourceGroup
allocation_method: Static
name: pip
register: output_ip_address
- name: Output public IP
msg: "The public IP is {{ output_ip_address.state.ip_address }}"
- name: Create Network Security Group
resource_group: myResourceGroup
name: networkSecurityGroup
- name: 'allow_rdp'
protocol: Tcp
destination_port_range: 3389
access: Allow
priority: 1001
direction: Inbound
- name: Create a network interface
name: nic
resource_group: myResourceGroup
virtual_network: vNet
subnet_name: subnet
security_group: networkSecurityGroup
- name: default
public_ip_address_name: pip
primary: True
- name: Create VM
resource_group: myResourceGroup
name: win-vm
vm_size: Standard_DS1_v2
admin_username: azureuser
admin_password: "{{ secret_value }}"
network_interfaces: nic
os_type: Windows
offer: WindowsServer
publisher: MicrosoftWindowsServer
sku: 2019-Datacenter
version: latest
no_log: true
Replace <key_vault_uri>
and <key_vault_secret_name>
with the appropriate values.
Clean up resources
Save the following code as
.--- - hosts: localhost tasks: - name: Deleting resource group - "{{ name }}" azure_rm_resourcegroup: name: "{{ name }}" state: absent register: rg - debug: var: rg
Run the playbook using the ansible-playbook command. Replace the placeholder with the name of the resource group to be deleted. All resources within the resource group will be deleted.
ansible-playbook delete_rg.yml --extra-vars "name=<resource_group>"
Key points:
- Because of the
variable anddebug
section of the playbook, the results display when the command finishes.
- Because of the
Next steps
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for