Index of all Collection Environment Variables

The following index documents all environment variables declared by plugins in collections. Environment variables used by the ansible-core configuration are documented in Ansible Configuration Settings.

ANSIBLE_HASHI_VAULT_ADDR

URL to the Vault service.

If not specified by any other means, the value of the VAULT_ADDR environment variable will be used.

If VAULT_ADDR is also not defined then an error will be raised.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_AUTH_METHOD

Authentication method to be used.

none auth method was added in collection version 1.2.0.

cert auth method was added in collection version 1.4.0.

aws_iam_login was renamed aws_iam in collection version 2.1.0 and was removed in 3.0.0.

azure auth method was added in collection version 3.2.0.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_AWS_IAM_SERVER_ID

If specified, sets the value to use for the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity request.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_AZURE_CLIENT_ID

The client ID (also known as application ID) of the Azure AD service principal or managed identity. Should be a UUID.

If not specified, will use the system assigned managed identity.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_AZURE_CLIENT_SECRET

The client secret of the Azure AD service principal.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_AZURE_RESOURCE

The resource URL for the application registered in Azure Active Directory. Usually should not be changed from the default.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_AZURE_TENANT_ID

The Azure Active Directory Tenant ID (also known as the Directory ID) of the service principal. Should be a UUID.

Required when using a service principal to authenticate to Vault, e.g. required when both azure_client_id and azure_client_secret are specified.

Optional when using managed identity to authenticate to Vault.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_CA_CERT

Path to certificate to use for authentication.

If not specified by any other means, the VAULT_CACERT environment variable will be used.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_CERT_AUTH_PRIVATE_KEY

For cert auth, path to the private key file to authenticate with, in PEM format.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_CERT_AUTH_PUBLIC_KEY

For cert auth, path to the certificate file to authenticate with, in PEM format.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_JWT

The JSON Web Token (JWT) to use for JWT authentication to Vault.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_MOUNT_POINT

Vault mount point.

If not specified, the default mount point for a given auth method is used.

Does not apply to token authentication.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_NAMESPACE

Vault namespace where secrets reside. This option requires HVAC 0.7.0+ and Vault 0.11+.

Optionally, this may be achieved by prefixing the authentication mount point and/or secret path with the namespace (e.g mynamespace/secret/mysecret).

If environment variable VAULT_NAMESPACE is set, its value will be used last among all ways to specify namespace.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_PASSWORD

Authentication password.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_PROXIES

URL(s) to the proxies used to access the Vault service.

It can be a string or a dict.

If it’s a dict, provide the scheme (eg. http or https) as the key, and the URL as the value.

If it’s a string, provide a single URL that will be used as the proxy for both http and https schemes.

A string that can be interpreted as a dictionary will be converted to one (see examples).

You can specify a different proxy for HTTP and HTTPS resources.

If not specified, environment variables from the Requests library are used.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_RETRIES

Allows for retrying on errors, based on the Retry class in the urllib3 library.

This collection defines recommended defaults for retrying connections to Vault.

This option can be specified as a positive number (integer) or dictionary.

If this option is not specified or the number is 0, then retries are disabled.

A number sets the total number of retries, and uses collection defaults for the other settings.

A dictionary value is used directly to initialize the Retry class, so it can be used to fully customize retries.

For detailed information on retries, see the collection User Guide.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_RETRY_ACTION

Controls whether and how to show messages on retries.

This has no effect if a request is not retried.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_ROLE_ID

Vault Role ID or name. Used in approle, aws_iam, azure and cert auth methods.

For cert auth, if no role_id is supplied, the default behavior is to try all certificate roles and return any one that matches.

For azure auth, role_id is required.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_SECRET_ID

Secret ID to be used for Vault AppRole authentication.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_TIMEOUT

Sets the connection timeout in seconds.

If not set, then the hvac library’s default is used.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_TOKEN

Vault token. Token may be specified explicitly, through the listed [env] vars, and also through the VAULT_TOKEN env var.

If no token is supplied, explicitly or through env, then the plugin will check for a token file, as determined by token_path and token_file.

The order of token loading (first found wins) is token param -> ansible var -> ANSIBLE_HASHI_VAULT_TOKEN -> VAULT_TOKEN -> token file.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_TOKEN_FILE

If no token is specified, will try to read the token from this file in token_path.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_TOKEN_PATH

If no token is specified, will try to read the token_file from this path.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_TOKEN_VALIDATE

For token auth, will perform a lookup-self operation to determine the token’s validity before using it.

Disable if your token does not have the lookup-self capability.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_USERNAME

Authentication user name.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

AWS_ACCESS_KEY

The AWS access key to use.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

AWS_ACCESS_KEY_ID

The AWS access key to use.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

AWS_DEFAULT_PROFILE

The AWS profile

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

AWS_PROFILE

The AWS profile

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

AWS_REGION

The AWS region for which to create the connection.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

AWS_SECRET_ACCESS_KEY

The AWS secret key that corresponds to the access key.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

AWS_SECRET_KEY

The AWS secret key that corresponds to the access key.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

AWS_SECURITY_TOKEN

The AWS security token if using temporary access and secret keys.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

AWS_SESSION_TOKEN

The AWS security token if using temporary access and secret keys.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

EC2_ACCESS_KEY

The AWS access key to use.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

EC2_REGION

The AWS region for which to create the connection.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

EC2_SECRET_KEY

The AWS secret key that corresponds to the access key.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

EC2_SECURITY_TOKEN

The AWS security token if using temporary access and secret keys.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin