community.hashi_vault.vault_read – Perform a read operation against HashiCorp Vault
Note
This plugin is part of the community.hashi_vault collection (version 1.4.1).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.hashi_vault
.
To use it in a playbook, specify: community.hashi_vault.vault_read
.
New in version 1.4.0: of community.hashi_vault
Synopsis
- Performs a generic read operation against a given path in HashiCorp Vault.
Requirements
The below requirements are needed on the host that executes this module.
-
hvac
(Python library) - For detailed requirements, see the collection requirements page.
Parameters
Parameter | Choices/Defaults | Comments |
---|---|---|
auth_method string |
| Authentication method to be used. none auth method was added in collection version 1.2.0 .cert auth method was added in collection version 1.4.0 . |
aws_access_key string | The AWS access key to use. aliases: aws_access_key_id | |
aws_iam_server_id string added in 0.2.0 of community.hashi_vault | If specified, sets the value to use for the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity request. | |
aws_profile string | The AWS profile aliases: boto_profile | |
aws_secret_key string | The AWS secret key that corresponds to the access key. aliases: aws_secret_access_key | |
aws_security_token string | The AWS security token if using temporary access and secret keys. | |
ca_cert string | Path to certificate to use for authentication. If not specified by any other means, the VAULT_CACERT environment variable will be used.aliases: cacert | |
cert_auth_private_key path added in 1.4.0 of community.hashi_vault | For cert auth, path to the private key file to authenticate with, in PEM format. | |
cert_auth_public_key path added in 1.4.0 of community.hashi_vault | For cert auth, path to the certificate file to authenticate with, in PEM format. | |
jwt string | The JSON Web Token (JWT) to use for JWT authentication to Vault. | |
mount_point string | Vault mount point. If not specified, the default mount point for a given auth method is used. Does not apply to token authentication. | |
namespace string | Vault namespace where secrets reside. This option requires HVAC 0.7.0+ and Vault 0.11+. Optionally, this may be achieved by prefixing the authentication mount point and/or secret path with the namespace (e.g mynamespace/secret/mysecret ).If environment variable VAULT_NAMESPACE is set, its value will be used last among all ways to specify namespace. | |
password string | Authentication password. | |
path string / required | Vault path to be read. | |
proxies raw added in 1.1.0 of community.hashi_vault | URL(s) to the proxies used to access the Vault service. It can be a string or a dict. If it's a dict, provide the scheme (eg. http or https ) as the key, and the URL as the value.If it's a string, provide a single URL that will be used as the proxy for both http and https schemes.A string that can be interpreted as a dictionary will be converted to one (see examples). You can specify a different proxy for HTTP and HTTPS resources. If not specified, environment variables from the Requests library are used. | |
region string | The AWS region for which to create the connection. | |
retries raw added in 1.3.0 of community.hashi_vault | Allows for retrying on errors, based on the Retry class in the urllib3 library. This collection defines recommended defaults for retrying connections to Vault. This option can be specified as a positive number (integer) or dictionary. If this option is not specified or the number is 0 , then retries are disabled.A number sets the total number of retries, and uses collection defaults for the other settings. A dictionary value is used directly to initialize the Retry class, so it can be used to fully customize retries.For detailed information on retries, see the collection User Guide. | |
retry_action string added in 1.3.0 of community.hashi_vault |
| Controls whether and how to show messages on retries. This has no effect if a request is not retried. |
role_id string | Vault Role ID or name. Used in approle , aws_iam_login , and cert auth methods.For cert auth, if no role_id is supplied, the default behavior is to try all certificate roles and return any one that matches. | |
secret_id string | Secret ID to be used for Vault AppRole authentication. | |
timeout integer added in 1.3.0 of community.hashi_vault | Sets the connection timeout in seconds. If not set, then the hvac library's default is used. | |
token string | Vault token. Token may be specified explicitly, through the listed [env] vars, and also through the VAULT_TOKEN env var.If no token is supplied, explicitly or through env, then the plugin will check for a token file, as determined by token_path and token_file. The order of token loading (first found wins) is token param -> ansible var -> ANSIBLE_HASHI_VAULT_TOKEN -> VAULT_TOKEN -> token file . | |
token_file string | Default: ".vault-token" | If no token is specified, will try to read the token from this file in token_path. |
token_path string | If no token is specified, will try to read the token_file from this path. | |
token_validate boolean added in 0.2.0 of community.hashi_vault |
| For token auth, will perform a lookup-self operation to determine the token's validity before using it.Disable if your token does not have the lookup-self capability. |
url string | URL to the Vault service. If not specified by any other means, the value of the VAULT_ADDR environment variable will be used.If VAULT_ADDR is also not defined then a default of http://127.0.0.1:8200 will be used. | |
username string | Authentication user name. | |
validate_certs boolean |
| Controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones. Will be populated with the inverse of VAULT_SKIP_VERIFY if that is set and validate_certs is not explicitly provided.Will default to true if neither validate_certs or VAULT_SKIP_VERIFY are set. |
See Also
See also
- community.hashi_vault.vault_read lookup
-
The official documentation for the
community.hashi_vault.vault_read
lookup plugin. - community.hashi_vault.hashi_vault lookup
-
The official documentation for the
community.hashi_vault.hashi_vault
lookup plugin.
Examples
- name: Read a kv2 secret from Vault via the remote host with userpass auth community.hashi_vault.vault_read: url: https://vault:8201 path: secret/data/hello auth_method: userpass username: user password: '{{ passwd }}' register: secret - name: Display the secret data ansible.builtin.debug: msg: "{{ secret.data.data.data }}" - name: Retrieve an approle role ID from Vault via the remote host community.hashi_vault.vault_read: url: https://vault:8201 path: auth/approle/role/role-name/role-id register: approle_id - name: Display the role ID ansible.builtin.debug: msg: "{{ approle_id.data.data.role_id }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
data dictionary | success | The raw result of the read against the given path. |
Authors
- Brian Scholer (@briantist)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/hashi_vault/vault_read_module.html