diff --git a/roles/vault_agent/defaults/main.yml b/roles/vault_agent/defaults/main.yml
new file mode 100644
index 0000000..372ef11
--- /dev/null
+++ b/roles/vault_agent/defaults/main.yml
@@ -0,0 +1,3 @@
+vault_agent_working_directory: /root/vault_agent_certificates
+
+vault_agent_vault_version: 1.18.2
diff --git a/roles/vault_agent/handlers/main.yml b/roles/vault_agent/handlers/main.yml
new file mode 100644
index 0000000..ab01058
--- /dev/null
+++ b/roles/vault_agent/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: Restart vault-agent-certificates
+  ansible.builtin.systemd:
+    name: vault-agent-certificates
+    state: restarted
diff --git a/roles/vault_agent/tasks/main.yml b/roles/vault_agent/tasks/main.yml
new file mode 100644
index 0000000..d5eb9d3
--- /dev/null
+++ b/roles/vault_agent/tasks/main.yml
@@ -0,0 +1,105 @@
+- name: Download Vault Hashicorp gpg key
+  ansible.builtin.get_url:
+    url: https://apt.releases.hashicorp.com/gpg
+    dest: /usr/share/keyrings/hashicorp-archive-keyring.asc
+    mode: "0644"
+    owner: root
+    checksum: sha256:cafb01beac341bf2a9ba89793e6dd2468110291adfbb6c62ed11a0cde6c09029
+
+- name: Pin Vault package
+  ansible.builtin.template:
+    src: vault.pref.j2
+    dest: /etc/apt/preferences.d/vault.pref
+    mode: '0644'
+    owner: root
+    group: root
+
+- name: Add Vault repository
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.asc] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main"
+    state: present
+
+- name: Intall Vault
+  ansible.builtin.apt:
+    update_cache: true
+    name:
+      - vault
+
+- name: Retrieve role_id and secret_id from Vault
+  community.hashi_vault.vault_kv2_get:
+    path: certificat-web-id
+  register: certificat_secrets
+  run_once: true
+  delegate_to: localhost
+  become: false
+
+- name: Create vault agent workdir
+  ansible.builtin.file:
+    path: "{{ vault_agent_working_directory }}"
+    state: directory
+    mode: '0755'
+    owner: root
+    group: root
+
+- name: Create role_id file
+  vars:
+    content: "{{ certificat_secrets.secret.role_id }}"
+  ansible.builtin.template:
+    src: content.j2
+    dest: "{{ vault_agent_working_directory }}/role_id"
+    mode: '0600'
+    owner: root
+    group: root
+
+- name: Create secret_id file
+  vars:
+    content: "{{ certificat_secrets.secret.secret_id }}"
+  ansible.builtin.template:
+    src: content.j2
+    dest: "{{ vault_agent_working_directory }}/secret_id"
+    mode: '0600'
+    owner: root
+    group: root
+
+- name: Copy agent-config.hcl
+  ansible.builtin.template:
+    src: agent-config.hcl.j2
+    dest: "{{ vault_agent_working_directory }}/agent-config.hcl"
+    mode: '0644'
+    owner: root
+    group: root
+  notify: Restart vault-agent-certificates
+
+- name: Copy retrieving_cert.tmpl
+  ansible.builtin.template:
+    src: retrieving_cert.tmpl.j2
+    dest: "{{ vault_agent_working_directory }}/retrieving_cert.tmpl"
+    mode: '0644'
+    owner: root
+    group: root
+    variable_start_string: '<<'
+    variable_end_string: '>>'
+  notify: Restart vault-agent-certificates
+
+- name: Copy vault-agent-certificates.service
+  ansible.builtin.template:
+    src: vault-agent-certificates.service.j2
+    dest: /etc/systemd/system/vault-agent-certificates.service
+    mode: '0644'
+    owner: root
+    group: root
+
+- name: Create directory for certificates
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ vault_agent_certificate_directory }}"
+    mode: '0755'
+    owner: root
+    group: root
+
+- name: Start vault-agent-certificates service
+  ansible.builtin.systemd:
+    name: vault-agent-certificates
+    state: started
+    enabled: true
+    daemon_reload: true
diff --git a/roles/vault_agent/templates/agent-config.hcl.j2 b/roles/vault_agent/templates/agent-config.hcl.j2
new file mode 100644
index 0000000..1842b50
--- /dev/null
+++ b/roles/vault_agent/templates/agent-config.hcl.j2
@@ -0,0 +1,40 @@
+vault {
+  address = "https://vault.rezoleo.fr"
+  retry {
+    num_retries = 5
+  }
+}
+
+auto_auth {
+  method {
+    type = "approle"
+
+    config = { 
+      // create a role in vault with a policy able to "read" the secret
+      role_id_file_path = "role_id" // to change based on the path of the role_id file
+      secret_id_file_path = "secret_id" // to change based on the path of the secret_id file
+      remove_secret_id_file_after_reading = false
+    }
+  }
+
+  sinks {
+    sink {
+      type = "file"
+
+      config = {
+        path = "sink-token"
+      }
+    }
+  }
+}
+
+template {
+  source = "retrieving_cert.tmpl"
+  destination = "{{ vault_agent_certificate_directory }}/template_output"
+  perms = "0600"
+
+  exec {
+    // command used to to reload the service after retrieving the certificate, in the form of ["binary", "arg1", "arg2", ...]
+    command = {{ vault_agent_service_reload_command | tojson }}
+  }
+}
diff --git a/roles/vault_agent/templates/content.j2 b/roles/vault_agent/templates/content.j2
new file mode 100644
index 0000000..59245f0
--- /dev/null
+++ b/roles/vault_agent/templates/content.j2
@@ -0,0 +1 @@
+{{content}}
\ No newline at end of file
diff --git a/roles/vault_agent/templates/retrieving_cert.tmpl.j2 b/roles/vault_agent/templates/retrieving_cert.tmpl.j2
new file mode 100644
index 0000000..a2815de
--- /dev/null
+++ b/roles/vault_agent/templates/retrieving_cert.tmpl.j2
@@ -0,0 +1,10 @@
+{{with secret "secret/certificat-web"}}
+{{ index .Data.data "privkey.pem" | writeToFile "<<vault_agent_certificate_directory>>/privkey.pem" "" "" "0400" }}
+{{ index .Data.data "chain.pem" | writeToFile "<<vault_agent_certificate_directory>>/chain.pem" "" "" "0400" }}
+{{ index .Data.data "cert.pem" | writeToFile "<<vault_agent_certificate_directory>>/cert.pem" "" "" "0400" }}
+{{ index .Data.data "fullchain.pem" | writeToFile "<<vault_agent_certificate_directory>>/fullchain.pem" "" "" "0400" }}
+{{ index .Data.data "privkey.pem" }}
+{{ index .Data.data "chain.pem" }}
+{{ index .Data.data "cert.pem" }}
+{{ index .Data.data "fullchain.pem" }}
+{{end}}
diff --git a/roles/vault_agent/templates/vault-agent-certificates.service.j2 b/roles/vault_agent/templates/vault-agent-certificates.service.j2
new file mode 100644
index 0000000..9c66032
--- /dev/null
+++ b/roles/vault_agent/templates/vault-agent-certificates.service.j2
@@ -0,0 +1,12 @@
+[Unit]
+Description=Vault Agent - retrieve Let's Encrypt certificates from Vault
+After=network.target
+
+[Service]
+Type=notify
+WorkingDirectory={{ vault_agent_working_directory }}
+ExecStart=/usr/bin/vault agent -config=agent-config.hcl
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/vault_agent/templates/vault.pref.j2 b/roles/vault_agent/templates/vault.pref.j2
new file mode 100644
index 0000000..bcb7f08
--- /dev/null
+++ b/roles/vault_agent/templates/vault.pref.j2
@@ -0,0 +1,4 @@
+Explanation: Ansible - Vault pinning
+Package: vault
+Pin: version {{ vault_agent_vault_version }}-*
+Pin-Priority: 1000