hashi_vault - retrieve secrets from HasihCorp’s vault
New in version 2.0.
Synopsis
- retrieve secrets from HasihCorp’s vault
Requirements
The below requirements are needed on the local master node that executes this lookup.
- hvac (python library)
Parameters
Parameter | Choices/Defaults | Configuration | Comments |
---|---|---|---|
auth_method |
authentication method used
|
||
cacert |
path to certificate to use for authentication
|
||
mount_point | Default:
ldap
|
vault mount point, only required if you have a custom mount point
|
|
password |
authentication password
|
||
role_id |
env:VAULT_ROLE_ID
|
Role id for a vault AppRole auth
|
|
secret
required
|
query you are making
|
||
secret_id |
env:VAULT_SECRET_ID
|
Secret id for a vault AppRole auth
|
|
token |
env:VAULT_TOKEN
|
vault token
|
|
url | Default:
http://127.0.0.1:8200
|
env:VAULT_ADDR
|
url to vault service
|
username |
authentication user name
|
||
validate_certs | Default:
yes
|
controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
|
Notes
Note
- Due to a current limitation in the HVAC library there won’t necessarily be an error if a bad endpoint is specified.
Examples
- debug: msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}" - name: Return all secrets from a path debug: msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}" - name: Vault that requires authentication via LDAP debug: msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}" - name: Using an ssl vault debug: msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}" - name: using certificate auth debug: msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}" - name: authenticate with a Vault app role debug: msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
Return Values
Common return values are documented here, the following are the fields unique to this lookup:
Key | Returned | Description |
---|---|---|
_raw |
secrets(s) requested
|
Status
Author
- Jonathan Davila <jdavila(at)ansible.com>
Hint
If you notice any issues in this documentation you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.5/plugins/lookup/hashi_vault.html