Try SpotterRetrieve secrets from HashiCorp's Vault
Authors: Jonathan Davila (!UNKNOWN) <jdavila(at)ansible.com>, Brian Scholer (@briantist)
Install with ansible-galaxy collection install community.general:==1.3.14
collections:
- name: community.general
version: 1.3.14Retrieve secrets from HashiCorp's Vault.
- ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200') }}"
- name: Return all secrets from a path
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200') }}"
- name: Vault that requires authentication via LDAP
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas') }}"
- name: Vault that requires authentication via username and password
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hello:value auth_method=userpass username=myuser password=psw url=http://myvault:8200') }}"
- name: Connect to Vault using TLS
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 validate_certs=False') }}"
- name: using certificate auth
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret/hi:value token=xxxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem') }}"
- name: Authenticate with a Vault app role
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid') }}"
- name: Return all secrets from a path in a namespace
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 namespace=teama/admins') }}"
# When using KV v2 the PATH should include "data" between the secret engine mount and path (e.g. "secret/data/:path")
# see: https://www.vaultproject.io/api/secret/kv/kv-v2.html#read-secret-version
- name: Return latest KV v2 secret from path
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret=secret/data/hello token=my_vault_token url=http://myvault_url:8200') }}"
# The following examples work in collection releases after community.general 0.2.0
- name: secret= is not required if secret is first
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret/data/hello token=<token> url=http://myvault_url:8200') }}"
- name: options can be specified as parameters rather than put in term string
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret/data/hello', token=my_token_var, url='http://myvault_url:8200') }}"
# return_format (or its alias 'as') can control how secrets are returned to you
- name: return secrets as a dict (default)
ansible.builtin.set_fact:
my_secrets: "{{ lookup('community.general.hashi_vault', 'secret/data/manysecrets', token=my_token_var, url='http://myvault_url:8200') }}"
- ansible.builtin.debug:
msg: "{{ my_secrets['secret_key'] }}"
- ansible.builtin.debug:
msg: "Secret '{{ item.key }}' has value '{{ item.value }}'"
loop: "{{ my_secrets | dict2items }}"
- name: return secrets as values only
ansible.builtin.debug:
msg: "A secret value: {{ item }}"
loop: "{{ query('community.general.hashi_vault', 'secret/data/manysecrets', token=my_token_var, url='http://myvault_url:8200', return_format='values') }}"
- name: return raw secret from API, including metadata
ansible.builtin.set_fact:
my_secret: "{{ lookup('community.general.hashi_vault', 'secret/data/hello:value', token=my_token_var, url='http://myvault_url:8200', as='raw') }}"
- ansible.builtin.debug:
msg: "This is version {{ my_secret['metadata']['version'] }} of hello:value. The secret data is {{ my_secret['data']['data']['value'] }}"
# AWS IAM authentication method
# uses Ansible standard AWS options
- name: authenticate with aws_iam_login
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret/hello:value', auth_method='aws_iam_login', role_id='myroleid', profile=my_boto_profile) }}"
# The following examples work in collection releases after community.general 1.3.0
- name: Authenticate with a JWT
ansible.builtin.debug:
msg: "{{ lookup('community.general.hashi_vault', 'secret/hello:value', auth_method='jwt', role_id='myroleid', jwt='myjwt', url='https://myvault:8200')}}"
jwt:
description: The JSON Web Token (JWT) to use for JWT authentication to Vault.
env:
- name: ANSIBLE_HASHI_VAULT_JWT
version_added: 1.3.0
version_added_collection: community.general
url:
default: http://127.0.0.1:8200
description: URL to the Vault service.
env:
- name: VAULT_ADDR
ini:
- key: url
section: lookup_hashi_vault
version_added: 0.2.0
version_added_collection: community.general
token:
description:
- Vault token. If using token auth and no token is supplied, explicitly or through
env, then the plugin will check
- for a token file, as determined by C(token_path) and C(token_file).
env:
- name: VAULT_TOKEN
region:
description: The AWS region for which to create the connection.
env:
- name: EC2_REGION
- name: AWS_REGION
type: str
version_added: 0.2.0
version_added_collection: community.general
secret:
description: Vault path to the secret being requested in the format C(path[:field]).
required: true
ca_cert:
aliases:
- cacert
description: Path to certificate to use for authentication.
role_id:
description: Vault Role ID. Used in approle and aws_iam_login auth methods.
env:
- name: VAULT_ROLE_ID
ini:
- key: role_id
section: lookup_hashi_vault
version_added: 0.2.0
version_added_collection: community.general
password:
description: Authentication password.
username:
description: Authentication user name.
namespace:
description:
- Vault namespace where secrets reside. This option requires HVAC 0.7.0+ and Vault
0.11+.
- Optionally, this may be achieved by prefixing the authentication mount point and/or
secret path with the namespace (e.g C(mynamespace/secret/mysecret)).
env:
- name: VAULT_NAMESPACE
version_added: 1.2.0
version_added_collection: community.general
secret_id:
description: Secret ID to be used for Vault AppRole authentication.
env:
- name: VAULT_SECRET_ID
token_file:
default: .vault-token
description: If no token is specified, will try to read the token from this file in
C(token_path).
env:
- name: VAULT_TOKEN_FILE
version_added: 1.2.0
version_added_collection: community.general
ini:
- key: token_file
section: lookup_hashi_vault
version_added: 0.2.0
version_added_collection: community.general
token_path:
description: If no token is specified, will try to read the token file from this path.
env:
- name: VAULT_TOKEN_PATH
version_added: 1.2.0
version_added_collection: community.general
ini:
- key: token_path
section: lookup_hashi_vault
version_added: 0.2.0
version_added_collection: community.general
auth_method:
choices:
- token
- userpass
- ldap
- approle
- aws_iam_login
- jwt
default: token
description:
- Authentication method to be used.
- C(userpass) is added in Ansible 2.8.
- C(aws_iam_login) is added in community.general 0.2.0.
- C(jwt) is added in community.general 1.3.0.
env:
- name: VAULT_AUTH_METHOD
ini:
- key: auth_method
section: lookup_hashi_vault
version_added: 0.2.0
version_added_collection: community.general
aws_profile:
aliases:
- boto_profile
description: The AWS profile
env:
- name: AWS_DEFAULT_PROFILE
- name: AWS_PROFILE
type: str
version_added: 0.2.0
version_added_collection: community.general
mount_point:
description: Vault mount point, only required if you have a custom mount point. Does
not apply to token authentication.
return_format:
aliases:
- as
choices:
- dict
- values
- raw
default: dict
description:
- Controls how multiple key/value pairs in a path are treated on return.
- C(dict) returns a single dict containing the key/value pairs (same behavior as before
community.general 0.2.0).
- C(values) returns a list of all the values only. Use when you don't care about the
keys.
- C(raw) returns the actual API result, which includes metadata and may have the data
nested in other keys.
version_added: 0.2.0
version_added_collection: community.general
aws_access_key:
aliases:
- aws_access_key_id
description: The AWS access key to use.
env:
- name: EC2_ACCESS_KEY
- name: AWS_ACCESS_KEY
- name: AWS_ACCESS_KEY_ID
type: str
version_added: 0.2.0
version_added_collection: community.general
aws_secret_key:
aliases:
- aws_secret_access_key
description: The AWS secret key that corresponds to the access key.
env:
- name: EC2_SECRET_KEY
- name: AWS_SECRET_KEY
- name: AWS_SECRET_ACCESS_KEY
type: str
version_added: 0.2.0
version_added_collection: community.general
validate_certs:
description:
- Controls verification and validation of SSL certificates, mostly you only want to
turn off with self signed ones.
- Will be populated with the inverse of C(VAULT_SKIP_VERIFY) if that is set and I(validate_certs)
is not explicitly provided (added in community.general 1.3.0).
- Will default to C(true) if neither I(validate_certs) or C(VAULT_SKIP_VERIFY) are
set.
type: boolean
aws_security_token:
description: The AWS security token if using temporary access and secret keys.
env:
- name: EC2_SECURITY_TOKEN
- name: AWS_SESSION_TOKEN
- name: AWS_SECURITY_TOKEN
type: str
version_added: 0.2.0
version_added_collection: community.general
_raw: description: - secrets(s) requested elements: dict type: list