How authenticate into Hashicorp vault using Ansible playbook

2,739 views
Skip to first unread message

chetanc...@gmail.com

unread,
Jan 22, 2019, 10:00:29 AM1/22/19
to Vault
I am looking for the best authentication method while using Hashicorp with Ansible.
I am trying to use Approle for authentication. Now that I have the Role_ID and Secret_id, how can my ansible script read the Token_id and write it in an environment variable so that the playbook can read the token and login into the vault to write data.

Roman Eos

unread,
Jan 22, 2019, 10:15:23 AM1/22/19
to Vault
Hello, 


вторник, 22 января 2019 г., 17:00:29 UTC+2 пользователь chetanc...@gmail.com написал:

chetan chatrath

unread,
Jan 22, 2019, 12:02:53 PM1/22/19
to vault...@googlegroups.com
Thanks Roman, I have gone through this link and this is to retrieve secrets from he vault. I need to write data using ansible playbook for which I need to connect to the vault using Role_ID and Secret to get the token. So I wanted to check if this is the best solution or if someone has some other thoughts.


--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/1ed04f36-ec91-4185-ae57-71a3941b13b9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted

Justin DynamicD

unread,
Jan 22, 2019, 7:22:59 PM1/22/19
to Vault
Check your Ansible version, there's a known bug in 2.5 so that it doesn't work with App_role.  It was fixed in 2.6:

https://github.com/ansible/ansible/issues/38536

Not sure if this is the problem you're hitting but wanted to throw it out there.  Your 2nd statement I might be misreading, but I'll do my best.


" Now that I have the Role_ID and Secret_id, how can my ansible script read the Token_id and write it in an environment variable so that the playbook can read the token and login into the vault to write data."


Unfortunately I no longer have a vault server at my current company (cry) but from a quick read of the module you're using, the response simply gets returned in the `_raw` key.  So ... you should be able to get your token like this (ad-hoc code incoming, but hopefully gets you gong):

- name: authenticate with a Vault app role
 
set_fact:
     
vault_auth: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"

- name: take raw return json and convert to object
  set_fact
:
    vault_auth
: "{{ vault_auth['_raw'] | from_json }}"

- debug:
   
var: "{{ vault_auth.auth.client_token }}"

I _believe_ you should get a structure out (according to this site: https://www.vaultproject.io/docs/auth/approle.html) that should be easy to pull a client token that way.

Obviously testing is needed ... but that _should_ work.  Remember to to "delegate_to" as needed to make sure the right system is logging into vault.

Roman Eos

unread,
Jan 23, 2019, 3:33:42 AM1/23/19
to Vault
Oh! I misunderstood then, sorry. I've used this py plugin for writing to vault https://pypi.org/project/ansible-modules-hashivault/ it can write secrets and manage mounts/roles/backends


вторник, 22 января 2019 г., 17:00:29 UTC+2 пользователь chetanc...@gmail.com написал:
I am looking for the best authentication method while using Hashicorp with Ansible.
Reply all
Reply to author
Forward
0 new messages