hashi_vault – retrieve secrets from HashiCorp’s vault
New in version 2.0.
Synopsis
- retrieve secrets from HashiCorp’s vault
Requirements
The below requirements are needed on the local master node that executes this lookup.
- hvac (python library)
Parameters
| Parameter | Choices/Defaults | Configuration | Comments |
|---|---|---|---|
| auth_method - |
| env:VAULT_AUTH_METHOD | Authentication method to be used. userpass is added in version 2.8. |
| ca_cert - | path to certificate to use for authentication. aliases: cacert | ||
| mount_point - | Default: "ldap" | vault mount point, only required if you have a custom mount point. | |
| namespace - added in 2.8 | Default: "None" | namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+. | |
| password - | Authentication password. | ||
| role_id - | env:VAULT_ROLE_ID | Role id for a vault AppRole auth. | |
| secret - / required | query you are making. | ||
| secret_id - | env:VAULT_SECRET_ID | Secret id for a vault AppRole auth. | |
| token - | env:VAULT_TOKEN | vault token. | |
| url - | Default: "http://127.0.0.1:8200" | env:VAULT_ADDR | URL to vault service. |
| username - | Authentication user name. | ||
| validate_certs boolean | Default: "yes" | controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones. |
Notes
Note
- Due to a current limitation in the HVAC library there won’t necessarily be an error if a bad endpoint is specified.
Examples
- debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
- name: Return all secrets from a path
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
- name: Vault that requires authentication via LDAP
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"
- name: Vault that requires authentication via username and password
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=userpass username=myuser password=mypas url=http://myvault:8200')}}"
- name: Using an ssl vault
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}"
- name: using certificate auth
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}"
- name: authenticate with a Vault app role
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
- name: Return all secrets from a path in a namespace
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200 namespace=teama/admins')}}"
Return Values
Common return values are documented here, the following are the fields unique to this lookup:
| Key | Returned | Description |
|---|---|---|
| _raw - | secrets(s) requested |
Status
- This lookup is not guaranteed to have a backwards compatible interface. [preview]
- This lookup is maintained by the Ansible Community. [community]
Authors
- Jonathan Davila <jdavila(at)ansible.com>
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
Hint
Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/plugins/lookup/hashi_vault.html