Try Spotterretrieve secrets from HashiCorp's vault
| "added in version" 2.0 of ansible.builtin"
Authors: Jonathan Davila <jdavila(at)ansible.com>
pipInstall with pip install ansible==2.9.27
retrieve secrets from HashiCorp's vault
- debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
- name: Return all secrets from a path
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
- name: Vault that requires authentication via LDAP
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"
- name: Vault that requires authentication via username and password
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=userpass username=myuser password=mypas url=http://myvault:8200')}}"
- name: Using an ssl vault
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}"
- name: using certificate auth
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}"
- name: authenticate with a Vault app role
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
- name: Return all secrets from a path in a namespace
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200 namespace=teama/admins')}}"
# to work with kv v2 (vault api - for kv v2 - GET method requires that PATH should be "secret/data/:path")
- name: Return all kv v2 secrets from a path
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/data/hello token=my_vault_token url=http://myvault_url:8200') }}"
url:
default: http://127.0.0.1:8200
description: URL to vault service.
env:
- name: VAULT_ADDR
token:
description: vault token.
env:
- name: VAULT_TOKEN
secret:
description: query you are making.
required: true
ca_cert:
aliases:
- cacert
description: path to certificate to use for authentication.
role_id:
description: Role id for a vault AppRole auth.
env:
- name: VAULT_ROLE_ID
password:
description: Authentication password.
username:
description: Authentication user name.
namespace:
description: namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+.
version_added: '2.8'
version_added_collection: ansible.builtin
secret_id:
description: Secret id for a vault AppRole auth.
env:
- name: VAULT_SECRET_ID
auth_method:
choices:
- userpass
- ldap
- approle
description:
- Authentication method to be used.
- C(userpass) is added in version 2.8.
env:
- name: VAULT_AUTH_METHOD
mount_point:
default: ldap
description: vault mount point, only required if you have a custom mount point.
validate_certs:
default: true
description: controls verification and validation of SSL certificates, mostly you
only want to turn off with self signed ones.
type: boolean
_raw: description: - secrets(s) requested