Best way of using HashiCorp's Vault from Ansible

7,576 views
Skip to first unread message

ma...@alpha-force.net

unread,
Jul 4, 2015, 2:20:57 PM7/4/15
to vault...@googlegroups.com
I'm using Ansible for configuration management with passwords being stored in plaintext in playbooks. What's the best way of reading secret strings and files from HashiCorp's vault and using them to populate placeholders in Ansible templates?

Jeff Mitchell

unread,
Jul 5, 2015, 12:40:12 PM7/5/15
to vault...@googlegroups.com
I'm not sure if there are any Vault modules for Ansible yet, but have
you looked at Ansible Vault (no relation to Hashicorp Vault)? It's a
built-in capability to Ansible that allows you to encrypt playbooks or
tasks so that passwords are not stored in plaintext. It would at least
be a good stopgap measure until something that more directly
interfaces between Ansible and (Hashicorp) Vault is available.

--Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/5b2abda9-aed0-4396-9633-7f1e3f1c7c84%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

ma...@alpha-force.net

unread,
Jul 6, 2015, 3:51:45 PM7/6/15
to vault...@googlegroups.com
Yeah, I'm familiar with it, but it's not a complete solution, it only solves the problem for deployment and I like having SSOTs (https://en.wikipedia.org/wiki/Single_Source_of_Truth) for information, including passwords. I'd just like to skip using AnsiVault and go directly to HashiVault.

Armon Dadgar

unread,
Jul 6, 2015, 4:06:55 PM7/6/15
to vault...@googlegroups.com, ma...@alpha-force.net
The issue with using Ansible (or any CM tool) with Hashicorp Vault is that our Vault is more like
a database that is exposing dynamic data as opposed to simply storing static information. These
semantics are exposed in the form of secret leasing and dynamic secrets. The challenge with using
a CM tool is that they are out-of-band, making it difficult to handle things like secret leases.

Instead, the pattern we recommend (and use ourselves with Puppet) is to to setup consul-template

With this pattern, the templates are managed and deployed with a CM tool, but the secrets
are populated online and dynamically updated by consul-template. That tool handles secret
leasing and renewal, reloading the application on changes etc.

Hope that helps!

Best Regards,
Armon Dadgar

Eric Feliksik

unread,
Dec 10, 2015, 12:57:16 PM12/10/15
to Vault
I just saw https://github.com/jhaals/ansible-vault ; didn't test it yet. 

Nathan Julsrud

unread,
Apr 20, 2016, 3:40:49 PM4/20/16
to Vault
I didn't have good luck with this at all in ansible 1.9.4 ( i used the version under the 1.0.0 tag) Instead for ansible 1.9.4 I had great success with

https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/lookup/hashi_vault.py

I'd like to dynamically write secrets, im wondering about scratching ansible lookups entirely and write a script that invokes the web api of hashi vault instead.  That way I can query for a pw, if not exist dynamically generate it.

Johan Haals

unread,
May 6, 2016, 4:39:23 AM5/6/16
to Vault
Just a update that the latest release of https://github.com/jhaals/ansible-vault support dynamic secrets.
It's only for ansible 2.x however, make sure to create an issue if you got questions or feedback :)

Dave Cottlehuber

unread,
May 6, 2016, 4:53:18 AM5/6/16
to vault...@googlegroups.com
On Fri, 6 May 2016, at 10:39, Johan Haals wrote:
> Just a update that the latest release
> of https://github.com/jhaals/ansible-vault support dynamic secrets.
> It's only for ansible 2.x however, make sure to create an issue if you
> got
> questions or feedback :)
>
super valuable plugin - thanks!

How does it relate to
https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/lookup/hashi_vault.py
? Merging yours into core ansible would be a huge win.

A+
Dave

Johan Haals

unread,
May 6, 2016, 8:42:10 AM5/6/16
to Vault
The hashi_vault plugin has some downsides, it has dependencies and can't handle dynamic secrets nor does it take VAULT_TOKEN from env.
I submitted a PR which gives the same functionality without dependencies https://github.com/ansible/ansible/pull/13907 It's tagged for the 2.1 milestone. I might update the PR with support for dynamic secrets but that will break compatibility with earlier 2.0 versions. I believe it's better to have the module outside core, it allow frequent updates and better flexibility since the module can be included in your config repo.

/Johan

Bill WANG

unread,
Jun 12, 2016, 9:52:31 PM6/12/16
to Vault
Looks useful.

+1

Nathan Julsrud

unread,
Jul 6, 2016, 4:53:32 PM7/6/16
to Vault
I like your work on this.  I'm limited to ansible 1.9.6 right now until we vet out the SSH bugs in 2.0.  

I'd really like the lookup plugin to inherit enough data from ansiblevault so that the user could just do something like
{{ lookup('hashi_vault',"mysecret") }}

with the vault token and url pulled from ansible.  Seems a limitation of 1.9.x
Reply all
Reply to author
Forward
0 new messages