You are reading an unmaintained version of the Ansible documentation. Unmaintained Ansible versions can contain unfixed security vulnerabilities (CVE). Please upgrade to a maintained version. See the latest Ansible documentation.

community.hashi_vault.vault_kv1_get module – Get a secret from HashiCorp Vault’s KV version 1 secret store

Note

This module is part of the community.hashi_vault collection (version 2.5.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.hashi_vault.

To use it in a playbook, specify: community.hashi_vault.vault_kv1_get.

New in version 2.5.0: of community.hashi_vault

Synopsis
Requirements
Parameters
See Also
Examples
Return Values

Synopsis 

Gets a secret from HashiCorp Vault’s KV version 1 secret store.

Requirements 

The below requirements are needed on the host that executes this module.

hvac (Python library)
For detailed requirements, see the collection requirements page.

Parameters 

Parameter	Comments
auth_method string	Authentication method to be used. `none` auth method was added in collection version `1.2.0`. `cert` auth method was added in collection version `1.4.0`. `aws_iam_login` was renamed `aws_iam` in collection version `2.1.0`. The old name will be removed in `3.0.0`. Choices: token ← (default) userpass ldap approle aws_iam aws_iam_login jwt cert none
aws_access_key aliases: aws_access_key_id string	The AWS access key to use.
aws_iam_server_id string added in 0.2.0 of community.hashi_vault	If specified, sets the value to use for the `X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` request.
aws_profile aliases: boto_profile string	The AWS profile
aws_secret_key aliases: aws_secret_access_key string	The AWS secret key that corresponds to the access key.
aws_security_token string	The AWS security token if using temporary access and secret keys.
ca_cert aliases: cacert string	Path to certificate to use for authentication. If not specified by any other means, the `VAULT_CACERT` environment variable will be used.
cert_auth_private_key path added in 1.4.0 of community.hashi_vault	For `cert` auth, path to the private key file to authenticate with, in PEM format.
cert_auth_public_key path added in 1.4.0 of community.hashi_vault	For `cert` auth, path to the certificate file to authenticate with, in PEM format.
engine_mount_point string	The path where the secret backend is mounted. Default: “kv”
jwt string	The JSON Web Token (JWT) to use for JWT authentication to Vault.
mount_point string	Vault mount point. If not specified, the default mount point for a given auth method is used. Does not apply to token authentication.
namespace string	Vault namespace where secrets reside. This option requires HVAC 0.7.0+ and Vault 0.11+. Optionally, this may be achieved by prefixing the authentication mount point and/or secret path with the namespace (e.g `mynamespace/secret/mysecret`). If environment variable `VAULT_NAMESPACE` is set, its value will be used last among all ways to specify namespace.
password string	Authentication password.
path string / required	Vault KV path to be read. This is relative to the engine_mount_point, so the mount path should not be included.
proxies raw added in 1.1.0 of community.hashi_vault	URL(s) to the proxies used to access the Vault service. It can be a string or a dict. If it’s a dict, provide the scheme (eg. `http` or `https`) as the key, and the URL as the value. If it’s a string, provide a single URL that will be used as the proxy for both `http` and `https` schemes. A string that can be interpreted as a dictionary will be converted to one (see examples). You can specify a different proxy for HTTP and HTTPS resources. If not specified, environment variables from the Requests library are used.
region string	The AWS region for which to create the connection.
retries raw added in 1.3.0 of community.hashi_vault	Allows for retrying on errors, based on the Retry class in the urllib3 library. This collection defines recommended defaults for retrying connections to Vault. This option can be specified as a positive number (integer) or dictionary. If this option is not specified or the number is `0`, then retries are disabled. A number sets the total number of retries, and uses collection defaults for the other settings. A dictionary value is used directly to initialize the `Retry` class, so it can be used to fully customize retries. For detailed information on retries, see the collection User Guide.
retry_action string added in 1.3.0 of community.hashi_vault	Controls whether and how to show messages on retries. This has no effect if a request is not retried. Choices: ignore warn ← (default)
role_id string	Vault Role ID or name. Used in `approle`, `aws_iam`, and `cert` auth methods. For `cert` auth, if no role_id is supplied, the default behavior is to try all certificate roles and return any one that matches.
secret_id string	Secret ID to be used for Vault AppRole authentication.
timeout integer added in 1.3.0 of community.hashi_vault	Sets the connection timeout in seconds. If not set, then the `hvac` library’s default is used.
token string	Vault token. Token may be specified explicitly, through the listed [env] vars, and also through the `VAULT_TOKEN` env var. If no token is supplied, explicitly or through env, then the plugin will check for a token file, as determined by token_path and token_file. The order of token loading (first found wins) is `token param -> ansible var -> ANSIBLE_HASHI_VAULT_TOKEN -> VAULT_TOKEN -> token file`.
token_file string	If no token is specified, will try to read the token from this file in token_path. Default: “.vault-token”
token_path string	If no token is specified, will try to read the token_file from this path.
token_validate boolean added in 0.2.0 of community.hashi_vault	For token auth, will perform a `lookup-self` operation to determine the token’s validity before using it. Disable if your token does not have the `lookup-self` capability. The default value is `true`. The default value will change to `false` in version 4.0.0. Choices: no yes
url string	URL to the Vault service. If not specified by any other means, the value of the `VAULT_ADDR` environment variable will be used. If `VAULT_ADDR` is also not defined then an error will be raised.
username string	Authentication user name.
validate_certs boolean	Controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones. Will be populated with the inverse of `VAULT_SKIP_VERIFY` if that is set and validate_certs is not explicitly provided. Will default to `true` if neither validate_certs or `VAULT_SKIP_VERIFY` are set. Choices: no yes

Examples 

- name: Read a kv1 secret from Vault via the remote host with userpass auth
  community.hashi_vault.vault_kv1_get:
    url: https://vault:8201
    path: hello
    auth_method: userpass
    username: user
    password: '{{ passwd }}'
  register: response
  # equivalent API path is kv/hello

- name: Display the results
  ansible.builtin.debug:
    msg:
      - "Secret: {{ response.secret }}"
      - "Data: {{ response.data }} (same as secret in kv1)"
      - "Metadata: {{ response.metadata }} (response info in kv1)"
      - "Full response: {{ response.raw }}"
      - "Value of key 'password' in the secret: {{ response.secret.password }}"

- name: Read a secret from kv1 with a different mount via the remote host
  community.hashi_vault.vault_kv1_get:
    url: https://vault:8201
    engine_mount_point: custom/kv1/mount
    path: hello
  register: response
  # equivalent API path is custom/kv1/mount/hello

- name: Display the results
  ansible.builtin.debug:
    msg:
      - "Secret: {{ response.secret }}"
      - "Data: {{ response.data }} (same as secret in kv1)"
      - "Metadata: {{ response.metadata }} (response info in kv1)"
      - "Full response: {{ response.raw }}"

Return Values 

Common return values are documented here, the following are the fields unique to this module:

Key	Description
data dictionary	The `data` field of raw result. This can also be accessed via `raw.data`. Returned: success Sample: {“Key1”: “value1”, “Key2”: “value2”}
metadata dictionary	This is a synthetic result. It is the same as `raw` with `data` removed. Returned: success Sample: {“auth”: null, “lease_duration”: 2764800, “lease_id”: “”, “renewable”: false, “request_id”: “e99f145f-f02a-7073-1229-e3f191057a70”, “warnings”: null, “wrap_info”: null}
raw dictionary	The raw result of the read against the given path. Returned: success Sample: {“auth”: null, “data”: {“Key1”: “value1”, “Key2”: “value2”}, “lease_duration”: 2764800, “lease_id”: “”, “renewable”: false, “request_id”: “e99f145f-f02a-7073-1229-e3f191057a70”, “warnings”: null, “wrap_info”: null}
secret dictionary	The `data` field of the raw result. This is identical to `data` in the return values. Returned: success Sample: {“Key1”: “value1”, “Key2”: “value2”}

Authors

Brian Scholer (@briantist)

Collection links

Issue Tracker Repository (Sources) Discussion, Q&A, troubleshooting Communication

community.hashi_vault.vault_kv1_get module – Get a secret from HashiCorp Vault’s KV version 1 secret store

Synopsis

Requirements

Parameters

See Also

Examples

Return Values