# Infisical Collection This Ansible Infisical collection includes a variety of Ansible content to help automate the management of Infisical services. This collection is maintained by the Infisical team. [View full documentation](https://galaxy.ansible.com/ui/repo/published/infisical/vault/) ## Ansible version compatibility Tested with the Ansible Core >= 2.12.0 versions, and the current development version of Ansible. Ansible Core versions prior to 2.12.0 have not been tested. ## Python version compatibility This collection depends on the Infisical SDK for Python. Requires Python 3.7 or greater. ## Installing this collection You can install the Infisical collection with the Ansible Galaxy CLI: ansible-galaxy collection install infisical.vault The python module dependencies are not installed by `ansible-galaxy`. They can be manually installed using pip: pip install infisicalsdk ## Using this collection You can either call modules by their Fully Qualified Collection Name (FQCN), such as `infisical.vault.read_secrets`, or you can call modules by their short name if you list the `infisical.vault` collection in the playbook's `collections` keyword. ### Authentication The Infisical Ansible Collection supports Universal Auth and OIDC for authenticating against Infisical. #### Universal Auth Using Universal Auth for authentication is the most straight-forward way to get started with using the Ansible collection. To use Universal Auth, you need to provide the Client ID and Client Secret of your Infisical Machine Identity. ```yaml lookup('infisical.vault.read_secrets', auth_method="universal-auth" universal_auth_client_id='', universal_auth_client_secret='' ...rest) ``` You can also provide the `auth_method`, `universal_auth_client_id`, and `universal_auth_client_secret` parameters through environment variables: | Parameter Name | Environment Variable Name | | ---------------------------- | ---------------------------------------- | | auth_method | `INFISICAL_AUTH_METHOD` | | universal_auth_client_id | `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` | | universal_auth_client_secret | `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` | #### OIDC Auth To use OIDC Auth, you'll need to provide the ID of your machine identity, and the OIDC JWT to be used for authentication. ```yaml lookup('infisical.vault.read_secrets', auth_method="oidc-auth" identity_id='', jwt='' ...rest) ``` You can also provide the `auth_method`, `identity_id`, and `jwt` parameters through environment variables: | Parameter Name | Environment Variable Name | | --------------- | ------------------------- | | auth_method | `INFISICAL_AUTH_METHOD` | | identity_id | `INFISICAL_IDENTITY_ID` | | jwt | `INFISICAL_JWT` | ```yaml --- vars: read_all_secrets_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}" # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] read_all_secrets_as_dict: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', as_dict=True, url='https://spotify.infisical.com') }}" # {"SECRET_KEY_1": "secret-value-1", "SECRET_KEY_2": "secret-value-2"} -> Can be accessed as secrets.SECRET_KEY_1 read_secret_by_name_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" # { "key": "HOST", "value": "google.com" } ```