community / community.general / 0.1.4 / lookup / hashi_vault Retrieve secrets from HashiCorp's vault Authors: Jonathan Davila <jdavila(at)ansible.com>, Brian Scholer (@briantist)community.general.hashi_vault (0.1.4) — lookup
Install with ansible-galaxy collection install community.general:==0.1.4
collections: - name: community.general version: 0.1.4
Retrieve secrets from HashiCorp's vault.
- debug: msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200') }}"
- name: Return all secrets from a path debug: msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200') }}"
- name: Vault that requires authentication via LDAP debug: msg: "{{ lookup('community.general.hashi_vault', 'secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas') }}"
- name: Vault that requires authentication via username and password debug: msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hello:value auth_method=userpass username=myuser password=psw url=http://myvault:8200') }}"
- name: Using an ssl vault debug: msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 validate_certs=False') }}"
- name: using certificate auth debug: msg: "{{ lookup('community.general.hashi_vault', 'secret/hi:value token=xxxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem') }}"
- name: authenticate with a Vault app role debug: msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid') }}"
- name: Return all secrets from a path in a namespace debug: msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 namespace=teama/admins') }}"
# When using KV v2 the PATH should include "data" between the secret engine mount and path (e.g. "secret/data/:path") # see: https://www.vaultproject.io/api/secret/kv/kv-v2.html#read-secret-version - name: Return latest KV v2 secret from path debug: msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/data/hello token=my_vault_token url=http://myvault_url:8200') }}"
# The following examples work in collection releases after Ansible 2.10 - name: secret= is not required if secret is first debug: msg: "{{ lookup('community.general.hashi_vault', 'secret/data/hello token=<token> url=http://myvault_url:8200') }}"
- name: options can be specified as parameters rather than put in term string debug: msg: "{{ lookup('community.general.hashi_vault', 'secret/data/hello', token=my_token_var, url='http://myvault_url:8200') }}"
# return_format (or its alias 'as') can control how secrets are returned to you - name: return secrets as a dict (default) set_fact: my_secrets: "{{ lookup('community.general.hashi_vault', 'secret/data/manysecrets', token=my_token_var, url='http://myvault_url:8200') }}"
- debug: msg: "{{ my_secrets['secret_key'] }}"
- debug: msg: "Secret '{{ item.key }}' has value '{{ item.value }}'" loop: "{{ my_secrets | dict2items }}"
- name: return secrets as values only debug: msg: "A secret value: {{ item }}" loop: "{{ query('community.general.hashi_vault', 'secret/data/manysecrets', token=my_token_var, url='http://myvault_url:8200', return_format='values') }}"
- name: return raw secret from API, including metadata set_fact: my_secret: "{{ lookup('community.general.hashi_vault', 'secret/data/hello:value', token=my_token_var, url='http://myvault_url:8200', as='raw') }}"
- debug: msg: "This is version {{ my_secret['metadata']['version'] }} of hello:value. The secret data is {{ my_secret['data']['data']['value'] }}"
# AWS IAM authentication method # uses Ansible standard AWS options - name: authenticate with aws_iam_login debug: msg: "{{ lookup('community.general.hashi_vault', 'secret/hello:value', auth_method='aws_iam_login' role_id='myroleid', profile=my_boto_profile) }}"
url: default: http://127.0.0.1:8200 description: URL to vault service. env: - name: VAULT_ADDR ini: - key: url section: lookup_hashi_vault version_added: 0.2.0 version_added_collection: community.general token: description: - Vault token. If using token auth and no token is supplied, explicitly or through env, then the plugin will check - for a token file, as determined by C(token_path) and C(token_file). env: - name: VAULT_TOKEN region: description: The AWS region for which to create the connection. env: - name: EC2_REGION - name: AWS_REGION type: str version_added: 0.2.0 version_added_collection: community.general secret: description: query you are making. required: true ca_cert: aliases: - cacert description: Path to certificate to use for authentication. role_id: description: Vault Role ID. Used in approle and aws_iam_login auth methods. env: - name: VAULT_ROLE_ID ini: - key: role_id section: lookup_hashi_vault version_added: 0.2.0 version_added_collection: community.general password: description: Authentication password. username: description: Authentication user name. namespace: description: Namespace where secrets reside. Requires HVAC 0.7.0+ and Vault 0.11+. secret_id: description: Secret id for a vault AppRole auth. env: - name: VAULT_SECRET_ID token_file: default: .vault-token description: If no token is specified, will try to read the token from this file in C(token_path). ini: - key: token_file section: lookup_hashi_vault version_added: 0.2.0 version_added_collection: community.general token_path: description: If no token is specified, will try to read the token file from this path. env: - name: HOME ini: - key: token_path section: lookup_hashi_vault version_added: 0.2.0 version_added_collection: community.general auth_method: choices: - token - userpass - ldap - approle - aws_iam_login default: token description: - Authentication method to be used. - C(userpass) is added in Ansible 2.8. - C(aws_iam_login) is added in Ansible 2.10. env: - name: VAULT_AUTH_METHOD ini: - key: auth_method section: lookup_hashi_vault version_added: 0.2.0 version_added_collection: community.general aws_profile: aliases: - boto_profile description: The AWS profile env: - name: AWS_DEFAULT_PROFILE - name: AWS_PROFILE type: str version_added: 0.2.0 version_added_collection: community.general mount_point: description: Vault mount point, only required if you have a custom mount point. return_format: aliases: - as choices: - dict - values - raw default: dict description: - Controls how multiple key/value pairs in a path are treated on return. - C(dict) returns a single dict containing the key/value pairs (same behavior as before Ansible 2.10). - C(values) returns a list of all the values only. Use when you don't care about the keys. - C(raw) returns the actual API result, which includes metadata and may have the data nested in other keys. version_added: 0.2.0 version_added_collection: community.general aws_access_key: aliases: - aws_access_key_id description: The AWS access key to use. env: - name: EC2_ACCESS_KEY - name: AWS_ACCESS_KEY - name: AWS_ACCESS_KEY_ID type: str version_added: 0.2.0 version_added_collection: community.general aws_secret_key: aliases: - aws_secret_access_key description: The AWS secret key that corresponds to the access key. env: - name: EC2_SECRET_KEY - name: AWS_SECRET_KEY - name: AWS_SECRET_ACCESS_KEY type: str version_added: 0.2.0 version_added_collection: community.general validate_certs: default: true description: Controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones. type: boolean aws_security_token: description: The AWS security token if using temporary access and secret keys. env: - name: EC2_SECURITY_TOKEN - name: AWS_SESSION_TOKEN - name: AWS_SECURITY_TOKEN type: str version_added: 0.2.0 version_added_collection: community.general
_raw: description: - secrets(s) requested