Red Hat SummitCreate a credential using a Vault OIDC credential type
Configure an OIDC credential to enable Ansible Automation Platform to authenticate with HashiCorp Vault using short-lived tokens instead of static credentials, reducing the risk of credential exposure.
Before you begin
Copy linkLink copied!
- You have configured the HashiCorp Vault Server with the OIDC Discovery URL.
- You have set your install time feature flag,
FEATURE_OIDC_WORKLOAD_IDENTITY_ENABLED, toTrue. - You have created a JWT role and appropriate access policies in Vault.
Procedure
- Log in to Ansible Automation Platform.
- From the navigation panel, select Automation Execution > Infrastructure > Credentials, and then select .
- Click Create credential.
- Edit the following fields:
- Name
- The name of your credential.
- Description
- Optional field describing your credential.
- Organization
- Select an organization or choose Default.
- Credential type
- Select either HashiCorp Vault Secret Lookup or HashiCorp Vault Signed SSH. Depending on your selection, relevant fields are displayed.
- Server URL
-
The URL used to communicate with the HashiCorp Vault secret management system.
Note This value is also used as the JSON Web Token (JWT) audience. Ensure that thebound_audiencesparameter in your Vault JWT role matches this URL exactly to achieve successful authentication. - CA Certificate
- Optional CA certificate used to verify connections to the HashiCorp Vault server.
- Path to auth
-
Path to the authentication method in HashiCorp Vault. Use the default
jwtunless you used a custom path when you ranvault auth enable jwt. - JWT role
- JWT role name that is configured in HashiCorp Vault.
- Namespace Name (Vault Enterprise only)
- Name of the Vault Enterprise namespace where your secrets and authentication methods are configured. Namespaces provide tenant isolation within a shared Vault instance, allowing teams or environments to manage secrets independently. If your Vault server does not use namespaces, leave this field blank.
- API version
-
- The version of the Vault KV secrets engine used for secret lookups. Valid values are
v1(for KV version 1) orv2(for KV version 2).
- The version of the Vault KV secrets engine used for secret lookups. Valid values are
- Click Test to verify connection to the secret management system.
- In the Test external credential dialog, edit the fields:
- For HashiCorp Vault Secret Lookup (OIDC)
- Name of secret backend
- The unique identifier or name assigned to your secret engine instance in HashiCorp Vault.
- Path to secret
-
The database or storage path to the specific secret inside the Vault engine (for example,
secret/data/myapp). - Path to auth
-
The endpoint path where the JWT/OIDC authentication method is enabled in Vault (defaults to
jwtif not customized). - Key name
- The specific key within the secret payload whose value you want to retrieve.
- Secret version (v2 only)
- The specific version number of the secret to fetch. Leave blank to retrieve the latest version.
- For HashiCorp Vault Signed SSH (OIDC)
- Unsigned public key
- Paste the raw, unsigned public SSH key that requires a signature from the HashiCorp Vault SSH secrets engine.
- Path to secret
-
The storage path configured for the SSH secrets engine in Vault (for example,
ssh-client-signer). - Path to auth
- The endpoint path where the JWT/OIDC authentication method is enabled in Vault.
- Role name
- The specific role name configured within the Vault SSH secrets engine that dictates signing permissions.
- Valid principals
- A comma-separated list of valid usernames or hosts allowed to use the signed certificate.
- For HashiCorp Vault Secret Lookup (OIDC)
- Click Run.
A success or error message displays, showing the claims associated with the job template you selected.
- For errors, click Retry to correct your input in the Test external credential dialog, or click Cancel to return to the Details screen of your target credential. Review the displayed claims and Vault logs to troubleshoot any errors.
- For successful tests, click Close. You are returned to the Details screen of your target credential.
- Click Create credential.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}