hashi_vault – retrieve secrets from HashiCorp’s vault¶
Synopsis¶
retrieve secrets from HashiCorp’s vault
Requirements¶
The below requirements are needed on the local master node that executes this lookup.
hvac (python library)
Parameters¶
Notes¶
Note
Due to a current limitation in the HVAC library there won’t necessarily be an error if a bad endpoint is specified.
Examples¶
- debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
- name: Return all secrets from a path
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
- name: Vault that requires authentication via LDAP
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"
- name: Vault that requires authentication via username and password
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=userpass username=myuser password=mypas url=http://myvault:8200')}}"
- name: Using an ssl vault
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}"
- name: using certificate auth
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}"
- name: authenticate with a Vault app role
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
- name: Return all secrets from a path in a namespace
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200 namespace=teama/admins')}}"
# to work with kv v2 (vault api - for kv v2 - GET method requires that PATH should be "secret/data/:path")
- name: Return all kv v2 secrets from a path
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/data/hello token=my_vault_token url=http://myvault_url:8200') }}"
Return Values¶
Common return values are documented here, the following are the fields unique to this lookup:
Key | Returned | Description |
---|---|---|
_raw
-
|
secrets(s) requested
|
Status¶
This lookup is not guaranteed to have a backwards compatible interface. [preview]
This lookup is maintained by the Ansible Community. [community]