community.hashi_vault.vault_token_create lookup – Create a HashiCorp Vault token
Note
This lookup plugin is part of the community.hashi_vault collection (version 6.2.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.hashi_vault
.
You need further requirements to be able to use this lookup plugin,
see Requirements for details.
To use it in a playbook, specify: community.hashi_vault.vault_token_create
.
New in community.hashi_vault 2.3.0
Synopsis
Creates a token in HashiCorp Vault, returning the response, including the token.
Requirements
The below requirements are needed on the local controller node that executes this lookup.
hvac
(Python library)For detailed requirements, see the collection requirements page.
Terms
Parameter |
Comments |
---|---|
This is unused and any terms supplied will be ignored. |
Keyword parameters
This describes keyword parameters of the lookup. These are the values key1=value1
, key2=value2
and so on in the following
examples: lookup('community.hashi_vault.vault_token_create', key1=value1, key2=value2, ...)
and query('community.hashi_vault.vault_token_create', key1=value1, key2=value2, ...)
Parameter |
Comments |
---|---|
Authentication method to be used.
Choices:
Configuration:
|
|
The AWS access key to use. Configuration:
|
|
If specified, sets the value to use for the Configuration:
|
|
The AWS profile Configuration:
|
|
The AWS secret key that corresponds to the access key. Configuration:
|
|
The AWS security token if using temporary access and secret keys. Configuration:
|
|
The client ID (also known as application ID) of the Azure AD service principal or managed identity. Should be a UUID. If not specified, will use the system assigned managed identity. Configuration:
|
|
The client secret of the Azure AD service principal. Configuration:
|
|
The resource URL for the application registered in Azure Active Directory. Usually should not be changed from the default. Default: Configuration:
|
|
The Azure Active Directory Tenant ID (also known as the Directory ID) of the service principal. Should be a UUID. Required when using a service principal to authenticate to Vault, e.g. required when both azure_client_id and azure_client_secret are specified. Optional when using managed identity to authenticate to Vault. Configuration:
|
|
Path to certificate to use for authentication. If not specified by any other means, the Configuration:
|
|
For Configuration:
|
|
For Configuration:
|
|
The display name of the token. |
|
Name of the entity alias to associate with during token creation. Only works in combination with role_name option and used entity alias must be listed in If this has been specified, the entity will not be inherited from the parent. |
|
If set, the token will have an explicit max TTL set upon it. This maximum token TTL cannot be changed later, and unlike with normal tokens, updates to the system/mount max TTL value will have no effect at renewal time. The token will never be able to be renewed or used past the value set at issue time. |
|
The ID of the client token. Can only be specified by a root token. The ID provided may not contain a Otherwise, the token ID is a randomly generated value. |
|
The JSON Web Token (JWT) to use for JWT authentication to Vault. Configuration:
|
|
A dict of string to string valued metadata. This is passed through to the audit devices. |
|
Vault mount point. If not specified, the default mount point for a given auth method is used. Does not apply to token authentication. Configuration:
|
|
Vault namespace where secrets reside. This option requires HVAC 0.7.0+ and Vault 0.11+. Optionally, this may be achieved by prefixing the authentication mount point and/or secret path with the namespace (e.g If environment variable Configuration:
|
|
If If the token will be used with this collection, set token_validate=false. Choices:
|
|
This option only has effect if used by a When Choices:
|
|
The maximum uses for the given token. This can be used to create a one-time-token or limited use token. The value of |
|
When With Choices:
|
|
Authentication password. Configuration:
|
|
If specified, the token will be periodic. It will have no maximum TTL (unless an explicit_max_ttl is also set) but every renewal will use the given period. Requires a root token or one with the |
|
A list of policies for the token. This must be a subset of the policies belonging to the token making the request, unless root. If not specified, defaults to all the policies of the calling token. |
|
URL(s) to the proxies used to access the Vault service. It can be a string or a dict. If it’s a dict, provide the scheme (eg. If it’s a string, provide a single URL that will be used as the proxy for both A string that can be interpreted as a dictionary will be converted to one (see examples). You can specify a different proxy for HTTP and HTTPS resources. If not specified, environment variables from the Requests library are used. Configuration:
|
|
The AWS region for which to create the connection. Configuration:
|
|
Set to Setting the value to Choices:
|
|
Allows for retrying on errors, based on the Retry class in the urllib3 library. This collection defines recommended defaults for retrying connections to Vault. This option can be specified as a positive number (integer) or dictionary. If this option is not specified or the number is A number sets the total number of retries, and uses collection defaults for the other settings. A dictionary value is used directly to initialize the For detailed information on retries, see the collection User Guide. Configuration:
|
|
Controls whether and how to show messages on retries. This has no effect if a request is not retried. Choices:
Configuration:
|
|
Vault Role ID or name. Used in For For Configuration:
|
|
The name of the token role. If used, the token will be created against the specified role name which may override options set during this call. |
|
Secret ID to be used for Vault AppRole authentication. Configuration:
|
|
Sets the connection timeout in seconds. If not set, then the Configuration:
|
|
Vault token. Token may be specified explicitly, through the listed [env] vars, and also through the If no token is supplied, explicitly or through env, then the plugin will check for a token file, as determined by token_path and token_file. The order of token loading (first found wins) is Configuration:
|
|
If no token is specified, will try to read the token from this file in token_path. Default: Configuration:
|
|
If no token is specified, will try to read the token_file from this path. Configuration:
|
|
For token auth, will perform a Disable if your token does not have the Choices:
Configuration:
|
|
The TTL period of the token, provided as If not provided, the token is valid for the default lease TTL, or indefinitely if the root policy is used. |
|
The token type. The default is determined by the role configuration specified by role_name. Choices:
|
|
URL to the Vault service. If not specified by any other means, the value of the If Configuration:
|
|
Authentication user name. Configuration:
|
|
Controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones. Will be populated with the inverse of Will default to Choices:
Configuration:
|
|
Specifies response wrapping token creation with duration. For example Configuration:
|
Notes
Note
When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters:
lookup('community.hashi_vault.vault_token_create', term1, term2, key1=value1, key2=value2)
andquery('community.hashi_vault.vault_token_create', term1, term2, key1=value1, key2=value2)
Token creation is a write operation (creating a token persisted to storage), so this module always reports
changed=True
.For the purposes of Ansible playbooks however, it may be more useful to set changed_when=false if you are doing idempotency checks against the target system.
In check mode, this module will not create a token, and will instead return a basic structure with an empty token. However, this may not be useful if the token is required for follow on tasks. It may be better to use this module with check_mode=false in order to have a valid token that can be used.
See Also
See also
- community.hashi_vault.vault_token_create
Create a HashiCorp Vault token.
- community.hashi_vault.vault_login lookup
The official documentation for the
community.hashi_vault.vault_login
lookup plugin.- community.hashi_vault.vault_login
Perform a login operation against HashiCorp Vault.
- community.hashi_vault.vault_login_token filter
The official documentation for the
community.hashi_vault.vault_login_token
filter plugin.
Examples
- name: Login via userpass and create a child token
ansible.builtin.set_fact:
token_data: "{{ lookup('community.hashi_vault.vault_token_create', url='https://vault', auth_method='userpass', username=user, password=passwd) }}"
- name: Retrieve an approle role ID using the child token (token via filter)
community.hashi_vault.vault_read:
url: https://vault:8201
auth_method: token
token: '{{ token_data | community.hashi_vault.vault_login_token }}'
path: auth/approle/role/role-name/role-id
register: approle_id
- name: Retrieve an approle role ID (token via direct dict access)
community.hashi_vault.vault_read:
url: https://vault:8201
auth_method: token
token: '{{ token_data.auth.client_token }}'
path: auth/approle/role/role-name/role-id
register: approle_id
# implicitly uses url & token auth with a token from the environment
- name: Create an orphaned token with a short TTL and display the full response
ansible.builtin.debug:
var: lookup('community.hashi_vault.vault_token_create', orphan=True, ttl='60s')
Return Value
Key |
Description |
---|---|
The result of the token creation operation. Returned: success Sample: |
|
The Returned: success |
|
Contains the newly created token. Returned: success |
|
The Returned: success, when available |