Agentless Vault secret automation with Event-Driven Ansible

A guide to using Event-Driven Ansible for agentless secret management in environments where Vault Agents are not feasible

By Ricardo Oliveira

Managing secrets at scale across different infrastructure environments creates operational challenges. HashiCorp Vault centralizes secret storage, rotation, and management, often through Vault Agents (or the Vault Secrets Operator in Kubernetes). However, when you already use Event-Driven Ansible (EDA) and can’t deploy agents, EDA’s orchestration has some advantages: immediate response to secret lifecycle events without agent deployment overhead, centralized automation for legacy systems, and simplified compliance workflows that automatically enforce security policies across diverse environments.

This article explores how EDA complements existing Vault deployments with agentless automation for specific scenarios, and looks at implementation guidance for organizations that want to adopt this approach.

»Why event-driven secret automation?

Although Vault Agents provide an excellent solution for many use cases, some deployment scenarios require an alternative approach:

• Legacy applications that cannot easily install a binary  

• Environments with strict security policies that do not allow additional daemon processes  

• Multi-cloud deployments, where managing agents consistently is complicated  

• Third-party applications that you cannot modify to work with agents  

• Environments where you can't deploy agents

In these instances, when you need to push credentials into different environments, event-driven automation complements traditional agent-based deployments by addressing specific operational issues.

»Reduce operational overhead and costs in agent-restricted environments

When you run into the mentioned situations, keeping agents running across different infrastructure deployments takes more staff time and reduces flexibility. Event-driven automation helps by cutting down on the overhead in a few practical ways.

First, you don't need to worry about complex infrastructure setups in places where agents won't work. Second, your teams spend less time coordinating between applications that need secrets managed externally. Third, you get more flexibility when deploying across mixed infrastructure environments.

This helps teams with heterogeneous infrastructure where a single agent pattern does not fit every workload. The NIST security control guidance recommends having systematic key management approaches that can adapt to different deployment constraints.

»Improve security posture

Event-driven automation reacts faster to security events than scheduled jobs. When secrets approach expiration or Vault rotates or generates credentials, EDA automatically starts rotation workflows, generates audit logs, and updates dependent applications.

This automation improves security through faster response times, automatic policy enforcement, and consistent audit trails.

»Comply with regulations

Manual coordination between security and application teams for secret rotation creates compliance risks. Event-driven automation eliminates timing mismatches between regulatory requirements and application deployment schedules by:

• Reducing compliance violations through automated policy enforcement

• Decreasing security incidents from expired or compromised credentials

»How event-driven automation works

Event-driven automation provides a complementary approach to traditional agent-based secrets management. While Vault Agent excels in a type of "pull" model for several environments, event-driven automation serves specific use cases where agents may not be optimal, and the "push" model is more effective.

Instead of relying on scheduled rotations or in-application secret retrieval, Ansible EDA connects directly to Vault's real-time event streams, allowing immediate automated responses for external applications and systems.

»The Vault EDA plugin approach

The vault_events plugin connects directly to Vault Enterprise's event streaming endpoint (/v1/sys/events/subscribe) using WebSocket connections. This approach eliminates agent deployment while enabling immediate response to secret lifecycle events.

Plugin capabilities:

• KV v1 and v2 operations: Monitoring of secret writes, updates, and deletions

• Database credential events: Detection of credential rotations and configuration changes

• Reliable connectivity: Built-in reconnection with exponential backoff for continuous monitoring

»Why HCP Vault / Vault Enterprise?

Event-driven secret automation requires Vault Enterprise or HCP Vault Dedicated because of the following features:

• Event streaming endpoint: Only Enterprise editions provide the /v1/sys/events/subscribe WebSocket endpoint

• Enterprise-grade reliability: Built for production workloads with high availability, disaster recovery, and 24/7 support

• Advanced secret engines: Database credential rotation and KV operations that generate actionable events

Community Edition does not support event streaming capabilities necessary for real-time automation workflows.

»Why EDA?

Event-Driven Ansible is an ideal integration platform for scenarios where agent-based approaches face constraints:

• Agentless architecture: Complements existing infrastructure without additional daemon processes

• Enterprise ecosystem integration: Works alongside Red Hat Ansible Automation Platform and existing agent deployments

• Flexible automation: Supports complex workflows for external systems and legacy applications

• Proven reliability: Proven automation platform that integrates with existing Vault deployments

»Real-world implementation example

Consider a financial services organization with 1,000 microservices that must rotate credentials regularly for PCI compliance.

Traditional approach challenges:

• Coordinating rotation schedules across multiple teams

• Manual updates to application configurations

• Scheduled downtime windows for credential updates

• Complex rollback procedures for failed rotations

Event-driven automation workflow:

1. Event detection: Vault generates an event such as kv-v2/data-write

2. Instant triggering: The EDA plugin receives the event using WebSockets

3. Automated workflow: Ansible playbooks update application configurations and reload the service if needed

4. Compliance documentation: All activities are automatically logged for audit purposes

This approach transforms a complex, multi-team coordination effort into a fully automated, auditable process.

»What you need to implement event-driven secret automation

You can implement event-driven secret automation through several approaches, depending on your current infrastructure and requirements.

»Development environment

For teams new to event-driven automation, starting with a local development environment allows you to evaluate this approach:

Prerequisites:

• HashiCorp Vault Enterprise or HCP Vault Dedicated (Community Edition does not support event streaming)

• Python 3.7+ with virtual environment support

• Java Runtime Environment (required for ansible-rulebook)

Plugin installation:

The Vault EDA plugin is available through Ansible Galaxy for easy installation:

# Install from Ansible Galaxy
ansible-galaxy collection install gitrgoliveira.vault_eda

Quick start with the development environment:

# Clone the repository for examples and development setup
git clone https://github.com/gitrgoliveira/vault-eda-delivery
 
# Set up environment variables
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=myroot
 
# Automated setup
make setup-env && make start-vault && make run-rulebook-bg

This creates a development environment with Vault Enterprise running in development mode and the EDA plugin monitoring events. Please see the documentation for multiple examples.

»Moving into production

This section explains how to deploy the Vault EDA plugin into Ansible Automation Platform (AAP) and listen to events from HCP Vault Dedicated.

»HCP Vault Dedicated configuration

Ensure the policy attached to your token has the subscribe verb in the capabilities and also defines the event types in  subscribe_event_types. Ensure the policy is only scoped to the paths you absolutely need to monitor.

path "sys/events/subscribe/*" {
    capabilities = ["read"]
}
 
path "secret/my-data" {
  capabilities = ["list", "subscribe"]
  subscribe_event_types = ["*"]
}

»Building the decision environment with the Vault EDA collection

This documentation from Red Hat has the necessary guidance to build a rulebook in Event-Driven Ansible.

This is an example YAML to get you started on creating the AAP container with the Vault EDA collection pre-installed:

version: 3
images:
  base_image:
    name: 'registry.redhat.io/ansible-automation-platform-25/de-minimal-rhel8:latest'
 
dependencies:
  galaxy:
    collections:
      - name: gitrgoliveira.vault_eda
  system:
    - pkgconf-pkg-config [platform:rpm]
    - systemd-devel [platform:rpm]
    - gcc [platform:rpm]
    - python3.11-devel [platform:rpm]
  python_interpreter:
    package_system: "python3.11"
 
options:
  package_manager_path: /usr/bin/microdnf
 
additional_build_steps:
  append_final:
    - ENV PYTHONPATH=$PYTHONPATH:/usr/local/lib/python3.11/site-packages

Use the following command with the YAML file to build an AAP container:

ansible-builder build --container-runtime podman -f de-minimal-vault.yml -t quay.io/<target_org>/de-minimal-vault-rhel8:latest -v 3

Once AAP is up and running, create the decision environment based on the output of ansible-builder:

Set up some credentials by creating a new credential type with the necessary environment variables.

Name:

HashiCorp Vault Event Stream Credential

Description:

A credential type for managing the VAULT_TOKEN, VAULT_ADDR, and VAULT_NAMESPACE environment variables required to authenticate to an event stream from HCP Vault Dedicated or Vault Enterprise.

Input fields:

fields:
  - id: vault_addr
    type: string
    label: Vault Address
    secret: false
  - id: vault_token
    type: string
    label: Vault Token
    secret: true
  - id: vault_namespace
    type: string
    label: Vault Namespace
    secret: false
required:
  - vault_addr
  - vault_token
  - vault_namespace

Injector fields for environment variables. This is how the vault event source plugin ingests credentials:

env:
  VAULT_ADDR: '{{ vault_addr }}'
  VAULT_TOKEN: '{{ vault_token }}'
  VAULT_NAMESPACE: '{{ vault_namespace }}'

You can now take this new AAP credential type and create a credential that implements it to use in our rulebooks.

Next, create a project that links to a source control repo, containing the rulebooks. These must be in a rulebooks/ sub-directory.

Now, create a Rulebook Activation. Populate the fields with the credential, project, and decision environment. Set log level to debug. Choose the rulebook to activate. This is automatically populated from the contents of the rulebook/ directory.

When you save the new activation, it starts instantly. Refer to the history to view the debug output, and you are ready to start triggering events in Vault.

[debug] ******************************************
🎉 HCP KV Write Event - Path: kv-rhocp/data/greetings, Data Path: kv-rhocp/data/greetings, Operation: data-write, Version: 1
********************************************************************************

You can also view the event in the Rule Audit tab and investigate the event details.

»Start implementing event-driven secret automation

Event-driven secret automation improves operational efficiency, security posture, and compliance for specific deployment scenarios. This approach complements traditional Vault Agent deployments by addressing use cases where centralized, external secret management automation provides advantages.

Key benefits recap:

• Reduced compliance costs through automated policy enforcement

• Improved incident response times with real-time event processing

• Simpler operations for agent-restricted environments

When to consider this approach:

• Legacy applications that cannot integrate with Vault Agents

• Mixed infrastructure environments with deployment constraints

• Centralized secret management automation requirements

»Next steps

Ready to get started? Install the plugin from Ansible Galaxy with:

ansible-galaxy collection install gitrgoliveira.vault_eda

Need implementation guidance? Visit the GitHub repository for complete setup instructions, example configurations, and production deployment guides.

Want to explore it in action? Start with the basic monitoring example to explore core event handling patterns that can be adapted to your specific organizational needs.

A special thanks to Ben Holmes for his collaboration on this blog and project.