Try SpotterRetrieve secrets from HashiCorp's Vault
Authors: Julie Davila (@juliedavila) <julie(at)davila.io>, Brian Scholer (@briantist)
Install with ansible-galaxy collection install community.hashi_vault:==6.2.0
collections:
- name: community.hashi_vault
version: 6.2.0Retrieve secrets from HashiCorp's Vault.
Consider R(migrating to other plugins in the collection,ansible_collections.community.hashi_vault.docsite.migration_hashi_vault_lookup).
- ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200') }}"
- name: Return all secrets from a path
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200') }}"
- name: Vault that requires authentication via LDAP
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas') }}"
- name: Vault that requires authentication via username and password
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/hola:val auth_method=userpass username=myuser password=psw url=http://vault:8200') }}"
- name: Connect to Vault using TLS
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 validate_certs=False') }}"
- name: using certificate auth
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/hi:val token=xxxx url=https://vault:8200 validate_certs=True cacert=/cacert/path/ca.pem') }}"
- name: Authenticate with a Vault app role
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid') }}"
- name: Return all secrets from a path in a namespace
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 namespace=teama/admins') }}"
# When using KV v2 the PATH should include "data" between the secret engine mount and path (e.g. "secret/data/:path")
# see: https://www.vaultproject.io/api/secret/kv/kv-v2.html#read-secret-version
- name: Return latest KV v2 secret from path
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/hello token=my_vault_token url=http://myvault_url:8200') }}"
# The following examples show more modern syntax, with parameters specified separately from the term string.
- name: secret= is not required if secret is first
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/data/hello token=<token> url=http://myvault_url:8200') }}"
- name: options can be specified as parameters rather than put in term string
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/data/hello', token=my_token_var, url='http://myvault_url:8200') }}"
# return_format (or its alias 'as') can control how secrets are returned to you
- name: return secrets as a dict (default)
ansible.builtin.set_fact:
my_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/data/manysecrets', token=my_token_var, url='http://myvault_url:8200') }}"
- ansible.builtin.debug:
msg: "{{ my_secrets['secret_key'] }}"
- ansible.builtin.debug:
msg: "Secret '{{ item.key }}' has value '{{ item.value }}'"
loop: "{{ my_secrets | dict2items }}"
- name: return secrets as values only
ansible.builtin.debug:
msg: "A secret value: {{ item }}"
loop: "{{ query('community.hashi_vault.hashi_vault', 'secret/data/manysecrets', token=my_token_var, url='http://vault_url:8200', return_format='values') }}"
- name: return raw secret from API, including metadata
ansible.builtin.set_fact:
my_secret: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/data/hello:value', token=my_token_var, url='http://myvault_url:8200', as='raw') }}"
- ansible.builtin.debug:
msg: "This is version {{ my_secret['metadata']['version'] }} of hello:value. The secret data is {{ my_secret['data']['data']['value'] }}"
# AWS IAM authentication method
# uses Ansible standard AWS options
- name: authenticate with aws_iam
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/hello:value', auth_method='aws_iam', role_id='myroleid', profile=my_boto_profile) }}"
# JWT auth
- name: Authenticate with a JWT
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/hola:val', auth_method='jwt', role_id='myroleid', jwt='myjwt', url='https://vault:8200') }}"
# Disabling Token Validation
# Use this when your token does not have the lookup-self capability. Usually this is applied to all tokens via the default policy.
# However you can choose to create tokens without applying the default policy, or you can modify your default policy not to include it.
# When disabled, your invalid or expired token will be indistinguishable from insufficent permissions.
- name: authenticate without token validation
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/hello:value', token=my_token, token_validate=False) }}"
# "none" auth method does no authentication and does not send a token to the Vault address.
# One example of where this could be used is with a Vault agent where the agent will handle authentication to Vault.
# https://www.vaultproject.io/docs/agent
- name: authenticate with vault agent
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/hello:value', auth_method='none', url='http://127.0.0.1:8100') }}"
# Use a proxy
- name: use a proxy with login/password
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=... token=... url=https://... proxies=https://user:pass@myproxy:8080') }}"
- name: 'use a socks proxy (need some additional dependencies, see: https://requests.readthedocs.io/en/master/user/advanced/#socks )'
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=... token=... url=https://... proxies=socks5://myproxy:1080') }}"
- name: use proxies with a dict (as param)
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', '...', proxies={'http': 'http://myproxy1', 'https': 'http://myproxy2'}) }}"
- name: use proxies with a dict (as param, pre-defined var)
vars:
prox:
http: http://myproxy1
https: https://myproxy2
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', '...', proxies=prox }}"
- name: use proxies with a dict (as direct ansible var)
vars:
ansible_hashi_vault_proxies:
http: http://myproxy1
https: https://myproxy2
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', '...' }}"
- name: use proxies with a dict (in the term string, JSON syntax)
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', '... proxies={\"http\":\"http://myproxy1\",\"https\":\"http://myproxy2\"}') }}"
- name: use ansible vars to supply some options
vars:
ansible_hashi_vault_url: 'https://myvault:8282'
ansible_hashi_vault_auth_method: token
set_fact:
secret1: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/data/secret1') }}"
secret2: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/data/secret2') }}"
- name: use a custom timeout
debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/data/secret1', timeout=120) }}"
- name: use a custom timeout and retry on failure 3 times (with collection retry defaults)
vars:
ansible_hashi_vault_timeout: 5
ansible_hashi_vault_retries: 3
debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/data/secret1') }}"
- name: retry on failure (with custom retry settings and no warnings)
vars:
ansible_hashi_vault_retries:
total: 6
backoff_factor: 0.9
status_forcelist: [500, 502]
allowed_methods:
- GET
- PUT
debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/data/secret1', retry_action='warn') }}"
jwt:
description: The JSON Web Token (JWT) to use for JWT authentication to Vault.
env:
- name: ANSIBLE_HASHI_VAULT_JWT
type: str
url:
description:
- URL to the Vault service.
- If not specified by any other means, the value of the C(VAULT_ADDR) environment
variable will be used.
- If C(VAULT_ADDR) is also not defined then an error will be raised.
env:
- name: ANSIBLE_HASHI_VAULT_ADDR
version_added: 0.2.0
version_added_collection: community.hashi_vault
ini:
- key: url
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_url
version_added: 1.2.0
version_added_collection: community.hashi_vault
- name: ansible_hashi_vault_addr
version_added: 1.2.0
version_added_collection: community.hashi_vault
token:
description:
- Vault token. Token may be specified explicitly, through the listed [env] vars, and
also through the C(VAULT_TOKEN) env var.
- If no token is supplied, explicitly or through env, then the plugin will check for
a token file, as determined by I(token_path) and I(token_file).
- The order of token loading (first found wins) is C(token param -> ansible var ->
ANSIBLE_HASHI_VAULT_TOKEN -> VAULT_TOKEN -> token file).
env:
- name: ANSIBLE_HASHI_VAULT_TOKEN
version_added: 0.2.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_token
version_added: 1.2.0
version_added_collection: community.hashi_vault
region:
description: The AWS region for which to create the connection.
env:
- name: EC2_REGION
- name: AWS_REGION
type: str
secret:
description: Vault path to the secret being requested in the format C(path[:field]).
required: true
ca_cert:
aliases:
- cacert
description:
- Path to certificate to use for authentication.
- If not specified by any other means, the C(VAULT_CACERT) environment variable will
be used.
env:
- name: ANSIBLE_HASHI_VAULT_CA_CERT
version_added: 1.2.0
version_added_collection: community.hashi_vault
ini:
- key: ca_cert
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_ca_cert
version_added: 1.2.0
version_added_collection: community.hashi_vault
proxies:
description:
- URL(s) to the proxies used to access the Vault service.
- It can be a string or a dict.
- If it's a dict, provide the scheme (eg. C(http) or C(https)) as the key, and the
URL as the value.
- If it's a string, provide a single URL that will be used as the proxy for both C(http)
and C(https) schemes.
- A string that can be interpreted as a dictionary will be converted to one (see examples).
- You can specify a different proxy for HTTP and HTTPS resources.
- If not specified, L(environment variables from the Requests library,https://requests.readthedocs.io/en/master/user/advanced/#proxies)
are used.
env:
- name: ANSIBLE_HASHI_VAULT_PROXIES
ini:
- key: proxies
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: raw
vars:
- name: ansible_hashi_vault_proxies
version_added: 1.2.0
version_added_collection: community.hashi_vault
version_added: 1.1.0
version_added_collection: community.hashi_vault
retries:
description:
- Allows for retrying on errors, based on the L(Retry class in the urllib3 library,https://urllib3.readthedocs.io/en/latest/reference/urllib3.util.html#urllib3.util.Retry).
- This collection defines recommended defaults for retrying connections to Vault.
- This option can be specified as a positive number (integer) or dictionary.
- If this option is not specified or the number is C(0), then retries are disabled.
- A number sets the total number of retries, and uses collection defaults for the
other settings.
- A dictionary value is used directly to initialize the C(Retry) class, so it can
be used to fully customize retries.
- For detailed information on retries, see the collection User Guide.
env:
- name: ANSIBLE_HASHI_VAULT_RETRIES
ini:
- key: retries
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: raw
vars:
- name: ansible_hashi_vault_retries
version_added: 1.3.0
version_added_collection: community.hashi_vault
role_id:
description:
- Vault Role ID or name. Used in C(approle), C(aws_iam), C(azure) and C(cert) auth
methods.
- For C(cert) auth, if no I(role_id) is supplied, the default behavior is to try all
certificate roles and return any one that matches.
- For C(azure) auth, I(role_id) is required.
env:
- name: ANSIBLE_HASHI_VAULT_ROLE_ID
version_added: 0.2.0
version_added_collection: community.hashi_vault
ini:
- key: role_id
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_role_id
version_added: 1.2.0
version_added_collection: community.hashi_vault
timeout:
description:
- Sets the connection timeout in seconds.
- If not set, then the C(hvac) library's default is used.
env:
- name: ANSIBLE_HASHI_VAULT_TIMEOUT
ini:
- key: timeout
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: int
vars:
- name: ansible_hashi_vault_timeout
version_added: 1.3.0
version_added_collection: community.hashi_vault
password:
description: Authentication password.
env:
- name: ANSIBLE_HASHI_VAULT_PASSWORD
version_added: 1.2.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_password
version_added: 1.2.0
version_added_collection: community.hashi_vault
username:
description: Authentication user name.
env:
- name: ANSIBLE_HASHI_VAULT_USERNAME
version_added: 1.2.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_username
version_added: 1.2.0
version_added_collection: community.hashi_vault
namespace:
description:
- Vault namespace where secrets reside. This option requires HVAC 0.7.0+ and Vault
0.11+.
- Optionally, this may be achieved by prefixing the authentication mount point and/or
secret path with the namespace (e.g C(mynamespace/secret/mysecret)).
- If environment variable C(VAULT_NAMESPACE) is set, its value will be used last among
all ways to specify I(namespace).
env:
- name: ANSIBLE_HASHI_VAULT_NAMESPACE
version_added: 0.2.0
version_added_collection: community.hashi_vault
ini:
- key: namespace
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_namespace
version_added: 1.2.0
version_added_collection: community.hashi_vault
secret_id:
description: Secret ID to be used for Vault AppRole authentication.
env:
- name: ANSIBLE_HASHI_VAULT_SECRET_ID
version_added: 0.2.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_secret_id
version_added: 1.2.0
version_added_collection: community.hashi_vault
token_file:
default: .vault-token
description: If no token is specified, will try to read the token from this file in
I(token_path).
env:
- name: ANSIBLE_HASHI_VAULT_TOKEN_FILE
version_added: 0.2.0
version_added_collection: community.hashi_vault
ini:
- key: token_file
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_token_file
version_added: 1.2.0
version_added_collection: community.hashi_vault
token_path:
description: If no token is specified, will try to read the I(token_file) from this
path.
env:
- name: ANSIBLE_HASHI_VAULT_TOKEN_PATH
version_added: 0.2.0
version_added_collection: community.hashi_vault
ini:
- key: token_path
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_token_path
version_added: 1.2.0
version_added_collection: community.hashi_vault
auth_method:
choices:
- token
- userpass
- ldap
- approle
- aws_iam
- azure
- jwt
- cert
- none
default: token
description:
- Authentication method to be used.
- C(none) auth method was added in collection version C(1.2.0).
- C(cert) auth method was added in collection version C(1.4.0).
- C(aws_iam_login) was renamed C(aws_iam) in collection version C(2.1.0) and was removed
in C(3.0.0).
- C(azure) auth method was added in collection version C(3.2.0).
env:
- name: ANSIBLE_HASHI_VAULT_AUTH_METHOD
version_added: 0.2.0
version_added_collection: community.hashi_vault
ini:
- key: auth_method
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_auth_method
version_added: 1.2.0
version_added_collection: community.hashi_vault
aws_profile:
aliases:
- boto_profile
description: The AWS profile
env:
- name: AWS_DEFAULT_PROFILE
- name: AWS_PROFILE
type: str
mount_point:
description:
- Vault mount point.
- If not specified, the default mount point for a given auth method is used.
- Does not apply to token authentication.
env:
- name: ANSIBLE_HASHI_VAULT_MOUNT_POINT
version_added: 1.5.0
version_added_collection: community.hashi_vault
ini:
- key: mount_point
section: hashi_vault_collection
version_added: 1.5.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_mount_point
version_added: 1.5.0
version_added_collection: community.hashi_vault
retry_action:
choices:
- ignore
- warn
default: warn
description:
- Controls whether and how to show messages on I(retries).
- This has no effect if a request is not retried.
env:
- name: ANSIBLE_HASHI_VAULT_RETRY_ACTION
ini:
- key: retry_action
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: str
vars:
- name: ansible_hashi_vault_retry_action
version_added: 1.3.0
version_added_collection: community.hashi_vault
return_format:
aliases:
- as
choices:
- dict
- values
- raw
default: dict
description:
- Controls how multiple key/value pairs in a path are treated on return.
- C(dict) returns a single dict containing the key/value pairs.
- C(values) returns a list of all the values only. Use when you don't care about the
keys.
- C(raw) returns the actual API result (deserialized), which includes metadata and
may have the data nested in other keys.
aws_access_key:
aliases:
- aws_access_key_id
description: The AWS access key to use.
env:
- name: EC2_ACCESS_KEY
- name: AWS_ACCESS_KEY
- name: AWS_ACCESS_KEY_ID
type: str
aws_secret_key:
aliases:
- aws_secret_access_key
description: The AWS secret key that corresponds to the access key.
env:
- name: EC2_SECRET_KEY
- name: AWS_SECRET_KEY
- name: AWS_SECRET_ACCESS_KEY
type: str
azure_resource:
default: https://management.azure.com/
description: The resource URL for the application registered in Azure Active Directory.
Usually should not be changed from the default.
env:
- name: ANSIBLE_HASHI_VAULT_AZURE_RESOURCE
ini:
- key: azure_resource
section: hashi_vault_collection
required: false
type: str
vars:
- name: ansible_hashi_vault_azure_resource
version_added: 3.2.0
version_added_collection: community.hashi_vault
token_validate:
default: false
description:
- For token auth, will perform a C(lookup-self) operation to determine the token's
validity before using it.
- Disable if your token does not have the C(lookup-self) capability.
env:
- name: ANSIBLE_HASHI_VAULT_TOKEN_VALIDATE
ini:
- key: token_validate
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
type: bool
vars:
- name: ansible_hashi_vault_token_validate
version_added: 1.2.0
version_added_collection: community.hashi_vault
version_added: 0.2.0
version_added_collection: community.hashi_vault
validate_certs:
description:
- Controls verification and validation of SSL certificates, mostly you only want to
turn off with self signed ones.
- Will be populated with the inverse of C(VAULT_SKIP_VERIFY) if that is set and I(validate_certs)
is not explicitly provided.
- Will default to C(true) if neither I(validate_certs) or C(VAULT_SKIP_VERIFY) are
set.
type: bool
vars:
- name: ansible_hashi_vault_validate_certs
version_added: 1.2.0
version_added_collection: community.hashi_vault
azure_client_id:
description:
- The client ID (also known as application ID) of the Azure AD service principal or
managed identity. Should be a UUID.
- If not specified, will use the system assigned managed identity.
env:
- name: ANSIBLE_HASHI_VAULT_AZURE_CLIENT_ID
ini:
- key: azure_client_id
section: hashi_vault_collection
required: false
type: str
vars:
- name: ansible_hashi_vault_azure_client_id
version_added: 3.2.0
version_added_collection: community.hashi_vault
azure_tenant_id:
description:
- The Azure Active Directory Tenant ID (also known as the Directory ID) of the service
principal. Should be a UUID.
- Required when using a service principal to authenticate to Vault, e.g. required
when both I(azure_client_id) and I(azure_client_secret) are specified.
- Optional when using managed identity to authenticate to Vault.
env:
- name: ANSIBLE_HASHI_VAULT_AZURE_TENANT_ID
ini:
- key: azure_tenant_id
section: hashi_vault_collection
required: false
type: str
vars:
- name: ansible_hashi_vault_azure_tenant_id
version_added: 3.2.0
version_added_collection: community.hashi_vault
aws_iam_server_id:
description: If specified, sets the value to use for the C(X-Vault-AWS-IAM-Server-ID)
header as part of C(GetCallerIdentity) request.
env:
- name: ANSIBLE_HASHI_VAULT_AWS_IAM_SERVER_ID
ini:
- key: aws_iam_server_id
section: hashi_vault_collection
version_added: 1.4.0
version_added_collection: community.hashi_vault
required: false
type: str
version_added: 0.2.0
version_added_collection: community.hashi_vault
aws_security_token:
description: The AWS security token if using temporary access and secret keys.
env:
- name: EC2_SECURITY_TOKEN
- name: AWS_SESSION_TOKEN
- name: AWS_SECURITY_TOKEN
type: str
azure_client_secret:
description: The client secret of the Azure AD service principal.
env:
- name: ANSIBLE_HASHI_VAULT_AZURE_CLIENT_SECRET
required: false
type: str
vars:
- name: ansible_hashi_vault_azure_client_secret
version_added: 3.2.0
version_added_collection: community.hashi_vault
cert_auth_public_key:
description: For C(cert) auth, path to the certificate file to authenticate with,
in PEM format.
env:
- name: ANSIBLE_HASHI_VAULT_CERT_AUTH_PUBLIC_KEY
ini:
- key: cert_auth_public_key
section: hashi_vault_collection
type: path
vars:
- name: ansible_hashi_vault_cert_auth_public_key
version_added: 6.2.0
version_added_collection: community.hashi_vault
version_added: 1.4.0
version_added_collection: community.hashi_vault
cert_auth_private_key:
description: For C(cert) auth, path to the private key file to authenticate with,
in PEM format.
env:
- name: ANSIBLE_HASHI_VAULT_CERT_AUTH_PRIVATE_KEY
ini:
- key: cert_auth_private_key
section: hashi_vault_collection
type: path
vars:
- name: ansible_hashi_vault_cert_auth_private_key
version_added: 6.2.0
version_added_collection: community.hashi_vault
version_added: 1.4.0
version_added_collection: community.hashi_vault
_raw: description: - secrets(s) requested elements: dict type: list