ansible-collections/infisical.vault
1
0
Fork 0
mirror of https://github.com/Infisical/ansible-collection.git synced 2025-12-05 11:20:42 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions
Mirror for the Infisical Vault Ansible collection. https://galaxy.ansible.com/ui/repo/published/infisical/vault/
47 commits 7 branches 14 tags 115 KiB
Find a file
Exact
Victor Hugo dos Santos 17a3453cc4
 Merge pull request #15 from Infisical/feature/user-and-machine-identity-token-auth 
feat: add token authentication method
2025-11-27 20:33:49 -03:00
.github/workflows Update distribute.yaml 2025-07-23 02:03:54 +04:00
docker feat: ansible docker image 2025-07-23 02:01:52 +04:00
meta ansible-galaxy init 2023-10-26 15:52:39 -04:00
plugins/lookup refactor: replace hardcoded authentication method strings with constants in read_secrets.py 2025-11-27 19:56:16 -03:00
.DS_Store ansible-galaxy init 2023-10-26 15:52:39 -04:00
.gitignore fix: better env vars 2025-08-25 18:32:11 +02:00
galaxy.yml feat: ansible docker image 2025-07-23 02:01:52 +04:00
README.md docs: update README to include Token Auth method and additional notes on OIDC Auth 2025-11-27 16:29:19 -03:00

README.md

Infisical Collection

This Ansible Infisical collection includes a variety of Ansible content to help automate the management of Infisical services. This collection is maintained by the Infisical team.

View full documentation

Ansible version compatibility

Tested with the Ansible Core >= 2.12.0 versions, and the current development version of Ansible. Ansible Core versions prior to 2.12.0 have not been tested.

Python version compatibility

This collection depends on the Infisical SDK for Python.

Requires Python 3.7 or greater.

Installing this collection

You can install the Infisical collection with the Ansible Galaxy CLI:

ansible-galaxy collection install infisical.vault

The python module dependencies are not installed by ansible-galaxy. They can be manually installed using pip:

pip install infisicalsdk

Using this collection

You can either call modules by their Fully Qualified Collection Name (FQCN), such as infisical.vault.read_secrets, or you can call modules by their short name if you list the infisical.vault collection in the playbook's collections keyword.

Authentication

The Infisical Ansible Collection supports Universal Auth, OIDC, and Token Auth for authenticating against Infisical.

Universal Auth

Using Universal Auth for authentication is the most straight-forward way to get started with using the Ansible collection.

To use Universal Auth, you need to provide the Client ID and Client Secret of your Infisical Machine Identity.

lookup('infisical.vault.read_secrets', auth_method="universal-auth" universal_auth_client_id='<client-id>', universal_auth_client_secret='<client-secret>' ...rest)

You can also provide the auth_method, universal_auth_client_id, and universal_auth_client_secret parameters through environment variables:

Parameter Name Environment Variable Name
auth_method INFISICAL_AUTH_METHOD
universal_auth_client_id INFISICAL_UNIVERSAL_AUTH_CLIENT_ID
universal_auth_client_secret INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET

OIDC Auth

To use OIDC Auth, you'll need to provide the ID of your machine identity, and the OIDC JWT to be used for authentication.

Note: Please note that in order to use OIDC Auth, you must have 1.0.10 or newer of the infisicalsdk package installed.

lookup('infisical.vault.read_secrets', auth_method="oidc-auth" identity_id='<identity-id>', jwt='<oidc-jwt>' ...rest)

You can also provide the auth_method, identity_id, and jwt parameters through environment variables:

Parameter Name Environment Variable Name
auth_method INFISICAL_AUTH_METHOD
identity_id INFISICAL_IDENTITY_ID
jwt INFISICAL_JWT

Token Auth

Token Auth is the simplest authentication method that allows you to authenticate directly with an access token. This can be either a Machine Identity Token Auth token or a User JWT token.

Note: Please note that in order to use Token Auth, you must have 1.0.13 or newer of the infisicalsdk package installed.

lookup('infisical.vault.read_secrets', auth_method="token_auth", token='<your-token>' ...rest)

You can also provide the auth_method and token parameters through environment variables:

Parameter Name Environment Variable Name
auth_method INFISICAL_AUTH_METHOD
token INFISICAL_TOKEN

Examples

---
vars:
  read_all_secrets_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}"
  # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }]

   read_all_secrets_as_dict: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', as_dict=True, url='https://spotify.infisical.com') }}"
  # {"SECRET_KEY_1": "secret-value-1", "SECRET_KEY_2": "secret-value-2"} -> Can be accessed as secrets.SECRET_KEY_1

  read_secret_by_name_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}"
  # { "key": "HOST", "value": "google.com" }