lookup plugin not functioning about ansible-modules-hashivault HOT 10 CLOSED

Sorry, rushing through things this morning.

Your output doesn't exactly match your input there. If that really is your VAULT_ADDR, I'm not sure how that would work.

The only other observation is it kind of looks like a proxy issue. Is that output from your proxy? Not sure how you are getting that if vault is on localhost.

from ansible-modules-hashivault.

I also am seeing issues with running on the Vault v.0.10 KV v2 changes:

    - debug: msg="Looking {{ lookup('hashivault', 'data/mysql/test_db', '') }}"

    - name: set password fact
      set_fact:
        mysql_pass: "{{ lookup('hashivault', 'data/mysql/test_db') }}"

    - name: show facts
      debug: var=mysql_pass.data.value

task path: vault_test.yml:13
ok: [localhost] => {
    "msg": "Looking {'data': {'value': 'PppaaaAsSSwWWooRRddD'}, 'metadata': {'created_time': '2018-04-27T22:50:44.148309991Z', 'deletion_time': '', 'destroyed': False, 'version': 2}}"
}

TASK [set password fact] ************************************************************************************************************
task path: vault_test.yml:15
ok: [localhost] => {
    "ansible_facts": {
        "mysql_pass": {
            "data": {
                "value": "PppaaaAsSSwWWooRRddD"
            },
            "metadata": {
                "created_time": "2018-04-27T22:50:44.148309991Z",
                "deletion_time": "",
                "destroyed": false,
                "version": 2
            }
        }
    },
    "changed": false
}

TASK [show facts] ************************************************************************************************************************
task path: vault_test.yml:19
ok: [localhost] => {
    "mysql_pass.data.value": "PppaaaAsSSwWWooRRddD"
}

Version 2 uses secret/data/mysql/test_db address but client can use old kv v1 style

vault kv get secret/mysql/test_db
====== Metadata ======
Key              Value
---              -----
created_time     2018-04-27T22:50:44.148309991Z
deletion_time    n/a
destroyed        false
version          2

==== Data ====
Key      Value
---      -----
value    PppaaaAsSSwWWooRRddD

Documented use case of hashivault fails when trying to lookup 'value'
- debug: msg="Looking {{ lookup('hashivault', 'data/mysql/test_db', 'value') }}"
Fails:

TASK [debug] *****************************************************************************************************************************
task path: vault_test.yml:13
fatal: [localhost]: FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'hashivault'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Error reading vault data/mysql/test_db/value: Key value is not in secret data/mysql/test_db\n"
}

I believe it may be a bug with hvac than with ansible-modules-hashivault as it looks like hvac hasnt been updated in a while.

from ansible-modules-hashivault.

This works for me as a workaround:

- debug: msg="Looking {{ lookup('hashivault', 'data/mysql/test_db', 'data')[\"value\"] }}"

from ansible-modules-hashivault.

I think the confusion is the example docs show getting a password out of vault with the lookup plugin:

debug: msg="{{lookup('vault', 'ldapadmin', 'password')}}"

That does not mean the password for vault is passed in there, it is getting a secret ldapadmin/password.

The lookup plugin only works with environment variables

export VAULT_ADDR='http://127.0.0.1:8000/'
export VAULT_TOKEN='supersecrettoken'

from ansible-modules-hashivault.

Maybe im still not understanding, heres the line i wrote and what i expected it to do:
msg: "{{ lookup('hashivault', 'test', 'password') }}"

Where:

• 'hashivault' is the lookup plugin
• 'test' is vault path secret/test
• 'password' is a key in test (which you see below holds the value "P@ssw0rd", very secure ;)

I expected that to connect to my vault server (using $VAULT_ADDR and $VAULT_TOKEN env vars) and essentially run the following:

vault kv get secret/test
====== Data ======
Key         Value
---         -----
password    P@ssw0rd

Just to reiterate the example where I use the hashivault_read module was successful. The playbook connects and is able to read the secret/test value. But the playbook fails on the play that uses the lookup plugin.

from ansible-modules-hashivault.

Probably isn't a proxy issue, the hashivault_read play works (look directly above the task that runs lookup() ). I edited OP with comments to make it clear which plays are successful and which are failing.

what output doesn't match? I see what you mean, i edited the OP to fix this. Included in the ticket on accident. Sorry that was confusing! FYI it was not the actual URL, i subbed it out so my DNS isnt shared :)

from ansible-modules-hashivault.

I was thinking it could be a proxy issue someway internally with the way things are handled. That the difference in the way the call is made causes a difference in the way the proxy handles it.

from ansible-modules-hashivault.

The only odd thing I noticed is on the lookup plugin side, it strips the trailing / on the address, seems like that would help the situation rather than hurt though. Do you have a trailing /?

from ansible-modules-hashivault.

You mean for vault address? echo $VAULT_ADDR ... http://my.domain.com:8200

oooooo... i wonder if this has to do with the KV version 2... https://www.vaultproject.io/guides/secret-mgmt/versioned-kv.html

I'm going to play with this a little today (hopefully)

from ansible-modules-hashivault.

the workaround above works great. thanks @nferch

from ansible-modules-hashivault.