hashi_vault – retrieve secrets from HashiCorp’s vault¶
New in version 2.0.
Synopsis¶
retrieve secrets from HashiCorp’s vault
Requirements¶
The below requirements are needed on the local master node that executes this lookup.
hvac (python library)
Parameters¶
| Parameter | Choices/Defaults | Configuration | Comments |
|---|---|---|---|
|
auth_method
-
|
|
env:VAULT_AUTH_METHOD
|
Authentication method to be used.
userpass is added in version 2.8. |
|
ca_cert
-
|
path to certificate to use for authentication.
aliases: cacert |
||
|
mount_point
-
|
Default: "ldap"
|
vault mount point, only required if you have a custom mount point.
|
|
|
namespace
-
added in 2.8 |
Default: "None"
|
namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+.
|
|
|
password
-
|
Authentication password.
|
||
|
role_id
-
|
env:VAULT_ROLE_ID
|
Role id for a vault AppRole auth.
|
|
|
secret
-
/ required
|
query you are making.
|
||
|
secret_id
-
|
env:VAULT_SECRET_ID
|
Secret id for a vault AppRole auth.
|
|
|
token
-
|
env:VAULT_TOKEN
|
vault token.
|
|
|
url
-
|
Default: "http://127.0.0.1:8200"
|
env:VAULT_ADDR
|
URL to vault service.
|
|
username
-
|
Authentication user name.
|
||
|
validate_certs
boolean
|
Default: "yes"
|
controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
|
Notes¶
Note
Due to a current limitation in the HVAC library there won’t necessarily be an error if a bad endpoint is specified.
Examples¶
- debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
- name: Return all secrets from a path
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
- name: Vault that requires authentication via LDAP
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"
- name: Vault that requires authentication via username and password
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=userpass username=myuser password=mypas url=http://myvault:8200')}}"
- name: Using an ssl vault
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}"
- name: using certificate auth
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}"
- name: authenticate with a Vault app role
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
- name: Return all secrets from a path in a namespace
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200 namespace=teama/admins')}}"
Return Values¶
Common return values are documented here, the following are the fields unique to this lookup:
| Key | Returned | Description |
|---|---|---|
|
_raw
-
|
secrets(s) requested
|
Status¶
This lookup is not guaranteed to have a backwards compatible interface. [preview]
This lookup is maintained by the Ansible Community. [community]