hashi_vault - retrieve secrets from HashiCorp’s vault¶

New in version 2.0.

Synopsis
- Requirements
Parameters
Notes
Examples
Return Values
Status
- Author

Synopsis ¶

retrieve secrets from HashiCorp’s vault

Requirements ¶

The below requirements are needed on the local master node that executes this lookup.

hvac (python library)

Parameters ¶

Parameter	Choices/Defaults	Configuration	Comments
auth_method			authentication method used
cacert			path to certificate to use for authentication
mount_point	Default: ldap		vault mount point, only required if you have a custom mount point
password			authentication password
role_id		env:VAULT_ROLE_ID	Role id for a vault AppRole auth
secret required			query you are making
secret_id		env:VAULT_SECRET_ID	Secret id for a vault AppRole auth
token		env:VAULT_TOKEN	vault token
url	Default: http://127.0.0.1:8200	env:VAULT_ADDR	url to vault service
username			authentication user name
validate_certs	Default: yes		controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.

Notes ¶

Note

Due to a current limitation in the HVAC library there won’t necessarily be an error if a bad endpoint is specified.

Examples ¶

- debug:
    msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"

- name: Return all secrets from a path
  debug:
    msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"

- name: Vault that requires authentication via LDAP
  debug:
      msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"

- name: Using an ssl vault
  debug:
      msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}"

- name: using certificate auth
  debug:
      msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}"

- name: authenticate with a Vault app role
  debug:
      msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"

Return Values ¶

Common return values are documented here, the following are the fields unique to this lookup:

Key	Returned	Description
_raw		secrets(s) requested

Status ¶

Author ¶

Jonathan Davila <jdavila(at)ansible.com>

Hint

If you notice any issues in this documentation you can edit this document to improve it.