Red Hat SummitOIDC credential types for HashiCorp Vault
Ansible Automation Platform supports OIDC credential types for HashiCorp Vault that use short-lived JSON Web Tokens instead of static credentials, providing secure, automatic authentication without the need to store or rotate Vault secrets.
-
HashiCorp Vault Secret Lookup (OIDC):Fetches arbitrary Key/Value (KV) secrets from HashiCorp Vault that are needed for Ansible automation, such as passwords, private keys, and API keys.
-
HashiCorp Vault Signed SSH (OIDC):HashiCorp Vault digitally signs a certificate that Ansible Automation Platform uses to authenticate to a remote host and run automation.
Instead of relying on long-lived credentials that must be stored, rotated, and protected, OIDC credential types use short-lived JSON Web Tokens (JWTs) that are issued per job and expire automatically. This reduces the risk of credential exposure and removes the operational burden of manual credential rotation.
JWT expiration and timeout behavior
When issuing JWTs for OIDC credentials, Ansible Automation Platform uses the job's configured timeout to determine the token's expiration time, aligning it with the expected duration of the job. If the job has no configured timeout, a platform default of 5 minutes (plus 1 minute for clock skew) is used.
This time is intentionally short but generally sufficient because the JWT is only used by the control plane to access HashiCorp Vault and retrieve secrets before automation begins executing. This value is configurable and can be adjusted if jobs fail due to an expired JWT or if a shorter time is needed.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}