Comments (10)
Sorry, rushing through things this morning.
Your output doesn't exactly match your input there. If that really is your VAULT_ADDR, I'm not sure how that would work.
The only other observation is it kind of looks like a proxy issue. Is that output from your proxy? Not sure how you are getting that if vault is on localhost.
from ansible-modules-hashivault.
I also am seeing issues with running on the Vault v.0.10 KV v2 changes:
- debug: msg="Looking {{ lookup('hashivault', 'data/mysql/test_db', '') }}"
- name: set password fact
set_fact:
mysql_pass: "{{ lookup('hashivault', 'data/mysql/test_db') }}"
- name: show facts
debug: var=mysql_pass.data.value
task path: vault_test.yml:13
ok: [localhost] => {
"msg": "Looking {'data': {'value': 'PppaaaAsSSwWWooRRddD'}, 'metadata': {'created_time': '2018-04-27T22:50:44.148309991Z', 'deletion_time': '', 'destroyed': False, 'version': 2}}"
}
TASK [set password fact] ************************************************************************************************************
task path: vault_test.yml:15
ok: [localhost] => {
"ansible_facts": {
"mysql_pass": {
"data": {
"value": "PppaaaAsSSwWWooRRddD"
},
"metadata": {
"created_time": "2018-04-27T22:50:44.148309991Z",
"deletion_time": "",
"destroyed": false,
"version": 2
}
}
},
"changed": false
}
TASK [show facts] ************************************************************************************************************************
task path: vault_test.yml:19
ok: [localhost] => {
"mysql_pass.data.value": "PppaaaAsSSwWWooRRddD"
}
Version 2 uses secret/data/mysql/test_db address but client can use old kv v1 style
vault kv get secret/mysql/test_db
====== Metadata ======
Key Value
--- -----
created_time 2018-04-27T22:50:44.148309991Z
deletion_time n/a
destroyed false
version 2
==== Data ====
Key Value
--- -----
value PppaaaAsSSwWWooRRddD
Documented use case of hashivault fails when trying to lookup 'value'
- debug: msg="Looking {{ lookup('hashivault', 'data/mysql/test_db', 'value') }}"
Fails:
TASK [debug] *****************************************************************************************************************************
task path: vault_test.yml:13
fatal: [localhost]: FAILED! => {
"msg": "An unhandled exception occurred while running the lookup plugin 'hashivault'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Error reading vault data/mysql/test_db/value: Key value is not in secret data/mysql/test_db\n"
}
I believe it may be a bug with hvac than with ansible-modules-hashivault as it looks like hvac hasnt been updated in a while.
from ansible-modules-hashivault.
This works for me as a workaround:
- debug: msg="Looking {{ lookup('hashivault', 'data/mysql/test_db', 'data')[\"value\"] }}"
from ansible-modules-hashivault.
I think the confusion is the example docs show getting a password out of vault with the lookup plugin:
debug: msg="{{lookup('vault', 'ldapadmin', 'password')}}"
That does not mean the password for vault is passed in there, it is getting a secret ldapadmin/password.
The lookup plugin only works with environment variables
export VAULT_ADDR='http://127.0.0.1:8000/'
export VAULT_TOKEN='supersecrettoken'
from ansible-modules-hashivault.
Maybe im still not understanding, heres the line i wrote and what i expected it to do:
msg: "{{ lookup('hashivault', 'test', 'password') }}"
Where:
- 'hashivault' is the lookup plugin
- 'test' is vault path secret/test
- 'password' is a key in test (which you see below holds the value "P@ssw0rd", very secure ;)
I expected that to connect to my vault server (using $VAULT_ADDR and $VAULT_TOKEN env vars) and essentially run the following:
vault kv get secret/test
====== Data ======
Key Value
--- -----
password P@ssw0rd
Just to reiterate the example where I use the hashivault_read
module was successful. The playbook connects and is able to read the secret/test
value. But the playbook fails on the play that uses the lookup plugin.
from ansible-modules-hashivault.
Probably isn't a proxy issue, the hashivault_read
play works (look directly above the task that runs lookup() ). I edited OP with comments to make it clear which plays are successful and which are failing.
what output doesn't match? I see what you mean, i edited the OP to fix this. Included in the ticket on accident. Sorry that was confusing! FYI it was not the actual URL, i subbed it out so my DNS isnt shared :)
from ansible-modules-hashivault.
I was thinking it could be a proxy issue someway internally with the way things are handled. That the difference in the way the call is made causes a difference in the way the proxy handles it.
from ansible-modules-hashivault.
The only odd thing I noticed is on the lookup plugin side, it strips the trailing / on the address, seems like that would help the situation rather than hurt though. Do you have a trailing /?
from ansible-modules-hashivault.
You mean for vault address? echo $VAULT_ADDR
... http://my.domain.com:8200
oooooo... i wonder if this has to do with the KV version 2... https://www.vaultproject.io/guides/secret-mgmt/versioned-kv.html
I'm going to play with this a little today (hopefully)
from ansible-modules-hashivault.
the workaround above works great. thanks @nferch
from ansible-modules-hashivault.
Related Issues (20)
- auth_method missing return value
- auth_method missing diff support HOT 1
- Policy module is missing check and diff
- oidc_auth_method_config & oidc_auth_role missing diff mode
- hashivault_db_secret_engine_config error using vault server 1.12.x and 1.13.x HOT 9
- Re-add wrap_ttl to hashivault_approle_role_secret HOT 1
- configuring allowed_other_sans parameter in hashivault_pki_role broken HOT 2
- hashivault_secret_engine doesn't support seal wrap HOT 5
- Add coverage for 'userfilter' in hashivault_auth_ldap HOT 2
- Dependency on ansible>=5.0.0 HOT 3
- TLS authentication uses removed method
- hashivault_token_renew: call to client.renew_self_token not working anymore
- https://github.com/TerryHowe/ansible-modules-hashivault/pull/467 breaks installs that use pip based hvac HOT 1
- hashivault_k8s_auth_role does not detect changes in policies
- hashivault_identity_entity_alias didn't have custom_metada parameter HOT 3
- Bug on hashivault_approle_role_secret module HOT 1
- Permission denied when creating a policy HOT 3
- Support of hvac create_or_update_acl_policy HOT 7
- Support of hvac JWT auth method and role
- How can I create a static database role HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-modules-hashivault.