diff --git a/roles/ipa/tasks/main.yml b/roles/ipa/tasks/main.yml
index cf07ede5ef..6cab5fc69b 100644
--- a/roles/ipa/tasks/main.yml
+++ b/roles/ipa/tasks/main.yml
@@ -38,6 +38,17 @@
   - config
   when: inventory_hostname.startswith("ipa01")
 
+- name: install IPA vault
+  command: ipa-kra-install
+           --password={{ipa_dm_password}}
+           --unattended
+           --log-file=/var/log/ipakrainstall.log
+           creates=/var/log/ipakrainstall.log
+  tags:
+  - ipa
+  - config
+  when: inventory_hostname.startswith("ipa01")
+
 - name: determine whether we need to set up replication
   stat: path=/etc/ipa/default.conf
   register: replication_status