How authenticate into Hashicorp vault using Ansible playbook

[chetanc...@gmail.com]

I am looking for the best authentication method while using Hashicorp with Ansible.
I am trying to use Approle for authentication. Now that I have the Role_ID and Secret_id, how can my ansible script read the Token_id and write it in an environment variable so that the playbook can read the token and login into the vault to write data.

[Roman Eos]

Hello, 

I would recommend to look at https://docs.ansible.com/ansible/2.5/plugins/lookup/hashi_vault.html

examples: https://docs.ansible.com/ansible/2.5/plugins/lookup/hashi_vault.html#examples

вторник, 22 января 2019 г., 17:00:29 UTC+2 пользователь chetanc...@gmail.com написал:

[chetan chatrath]

Thanks Roman, I have gone through this link and this is to retrieve secrets from he vault. I need to write data using ansible playbook for which I need to connect to the vault using Role_ID and Secret to get the token. So I wanted to check if this is the best solution or if someone has some other thoughts.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/1ed04f36-ec91-4185-ae57-71a3941b13b9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Justin DynamicD]

Check your Ansible version, there's a known bug in 2.5 so that it doesn't work with App_role.  It was fixed in 2.6:

https://github.com/ansible/ansible/issues/38536

Not sure if this is the problem you're hitting but wanted to throw it out there.  Your 2nd statement I might be misreading, but I'll do my best.

" Now that I have the Role_ID and Secret_id, how can my ansible script read the Token_id and write it in an environment variable so that the playbook can read the token and login into the vault to write data."

Unfortunately I no longer have a vault server at my current company (cry) but from a quick read of the module you're using, the response simply gets returned in the `_raw` key.  So ... you should be able to get your token like this (ad-hoc code incoming, but hopefully gets you gong):

- name: authenticate with a Vault app role
  set_fact:
      vault_auth: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"

- name: take raw return json and convert to object
  set_fact:
    vault_auth: "{{ vault_auth['_raw'] | from_json }}"

- debug:
    var: "{{ vault_auth.auth.client_token }}"

I _believe_ you should get a structure out (according to this site: https://www.vaultproject.io/docs/auth/approle.html) that should be easy to pull a client token that way.

Obviously testing is needed ... but that _should_ work.  Remember to to "delegate_to" as needed to make sure the right system is logging into vault.

[Roman Eos]

Oh! I misunderstood then, sorry. I've used this py plugin for writing to vault https://pypi.org/project/ansible-modules-hashivault/ it can write secrets and manage mounts/roles/backends

вторник, 22 января 2019 г., 17:00:29 UTC+2 пользователь chetanc...@gmail.com написал:

I am looking for the best authentication method while using Hashicorp with Ansible.