hashi_vault – retrieve secrets from HashiCorp’s vault

From Get docs
< Lookup PluginsAnsible/docs/2.8/plugins/lookup/hashi vault


hashi_vault – retrieve secrets from HashiCorp’s vault

New in version 2.0.


Synopsis

  • retrieve secrets from HashiCorp’s vault

Requirements

The below requirements are needed on the local master node that executes this lookup.

  • hvac (python library)

Parameters

Parameter Choices/Defaults Configuration Comments

auth_method

-

  • userpass
  • ldap
  • approle

env:VAULT_AUTH_METHOD

Authentication method to be used.

userpass is added in version 2.8.

ca_cert

-

path to certificate to use for authentication.


aliases: cacert

mount_point

-

Default:

"ldap"

vault mount point, only required if you have a custom mount point.

namespace

-

added in 2.8

Default:

"None"

namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+.

password

-

Authentication password.

role_id

-

env:VAULT_ROLE_ID

Role id for a vault AppRole auth.

secret

- / required

query you are making.

secret_id

-

env:VAULT_SECRET_ID

Secret id for a vault AppRole auth.

token

-

env:VAULT_TOKEN

vault token.

url

-

Default:

env:VAULT_ADDR

URL to vault service.

username

-

Authentication user name.

validate_certs

boolean

Default:

"yes"

controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.



Notes

Note

  • Due to a current limitation in the HVAC library there won’t necessarily be an error if a bad endpoint is specified.


Examples

- debug:
    msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"

- name: Return all secrets from a path
  debug:
    msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"

- name: Vault that requires authentication via LDAP
  debug:
      msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"

- name: Vault that requires authentication via username and password
  debug:
      msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=userpass username=myuser password=mypas url=http://myvault:8200')}}"

- name: Using an ssl vault
  debug:
      msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}"

- name: using certificate auth
  debug:
      msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}"

- name: authenticate with a Vault app role
  debug:
      msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"

- name: Return all secrets from a path in a namespace
  debug:
    msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200 namespace=teama/admins')}}"

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key Returned Description

_raw

-

secrets(s) requested





Status

Authors

  • Jonathan Davila

Hint

If you notice any issues in this documentation, you can edit this document to improve it.


Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/plugins/lookup/hashi_vault.html