• Stars
    star
    347
  • Rank 122,141 (Top 3 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created over 9 years ago
  • Updated over 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ansible lookup plugin for secrets stored in Vault(by HashiCorp)

ansible-vault lookup module Build Status

This is a lookup module for secrets stored in HashiCorp Vault. Supports Ansible 1.9.x and 2.x

Deprecation notice

ansible-vault has been deprecated due to lack of personal usage of ansible and vault over the last years. There are other plugins such as hashivault which provide the same functionality and are better maintained.

Installation

lookup plugins can be loaded from several different locations similar to $PATH, see lookup_plugins. An example setup can be found in the tests directory.

The source for the plugin can be pointed to via a requirements.yml file, and accessed via ansible-galaxy.

Configuration

The address to the Vault server:

export VAULT_ADDR=http://192.168.33.10:8200/

The plugin supports both Vault auth token and GitHub auth token. To use Vault auth token:

export VAULT_TOKEN=56f48aef-8ad3-a0c4-447b-8e96990776ff

If your Vault server is configured to use GitHub auth token:

export VAULT_GITHUB_API_TOKEN=56f48aef-8ad3-a0c4-447b-8e96990776ff

The plugin also supports Vault's CA-related environment variables, to enable use of a server certificate issued by a not-widely-trusted Certificate Authority. Use of this feature in the plugin requires Python 2.7.9.

export VAULT_CACERT=/etc/ssl/certs/localCA.pem
export VAULT_CAPATH=/etc/ssl/localCA

The Vault address, CA certificate, and path can also be set via the Ansible variables vault_addr, vault_cacert, and vault_capath, respectively.

export VAULT_CAHOSTVERIFY="no"

This avoid the hostname check for Vault certificate (useful with self-signed certicates). This option can also be set via the Ansible variable vault_cahostverify.

export VAULT_SKIP_VERIFY=1

This will disable ssl certs validation. VAULT_CACERT, VAULT_CAPATH and VAULT_CAHOSTVERIFY have to be unset. Can also be set via Ansible variable vault_skip_verify: <bool>.

For more information on setting variables in Ansible, see the variables docs.

The Vault token intentionally can not be set via an Ansible variable, as this is generally checked into revision control and would be a bad security practice somewhat defeating the purpose of using Vault. The token can be read from the file $HOME/.vault-token, as documented at Vault environment variables.

If any such parameter is set by both an environment variable and an alternative means, the environment variable takes precedence.

Caching

By default secrets fetched from Vault will be cached in memory, unless you specify

export ANSIBLE_HASHICORP_VAULT_USE_CACHE=no

Note that secrets will be fetched once per fork (defaults to 5). If you turn off this feature by toggling above variable, all lookups will be done per node instead.

Approle support

If you want to use the Approle auth backend, you can do this by setting the follwing environment variables. If those vars are set, it is tried to get an approle token. If caching is enabled, the token is stored in the cache, so that it can be reused.

export ANSIBLE_HASHICORP_VAULT_ROLE_ID=ba78195c-12c9-557f-f8e2-75705b9b52ec
export ANSIBLE_HASHICORP_VAULT_SECRET_ID=5a4d079b-e6aa-ad54-8b0c-09dd35b740ee

Per default the authentication will be done against ${YOUR_HOST}/v1/auth/approle/login You can change this to fit your layout by setting the following var to your value:

export ANSIBLE_HASHICORP_VAULT_ROLE_PATH=v1/auth/my/role/path/approle/login

Usage

ansible-vault works as any other lookup plugin.

- debug: msg="{{ lookup('vault', 'secret/foo', 'value') }}"
# templates/example.j2

# Generic secrets
{{ lookup('vault', 'secret/hello').value }} # world
# Generic secrets with parameters
{{ lookup('vault', 'pki/issue/example-dot-com common_name=foo.example.com format=pem_bundle').certificate }}
# Specify field inside lookup
{{ lookup('vault', 'secret/hello', 'value') }} # world
# This syntax for Ansible 1.9.x
{{ lookup('vault', ['secret/hello', 'value']) }} # world

# Dynamic secrets
{% set aws = lookup('vault', 'aws/creds/deploy') %}
access_key = {{ aws.access_key }} # AKSCAIZSFSYHFGA
secret_key = {{ aws.secret_key }} # 4XSLxDUS+hyXgoIHEhCKExHDGAJDHFiUA/adi

If the desired value is stored within Vault with the key 'value' (like 'value=world' shown above), within a task, the lookup can be performed with:

with_vault:
- secret/hello

And then referenced with "{{ item.value }}"

Alternatively, the lookup can be performed with:

with_vault:
- secret/hello
- value

And then referenced with "{{ item }}"

Both of these forms work with both Ansible 1.9.x and 2.x. They only work within tasks, though. You can not use the with_vault: syntax within a variable definition file.

Troubleshooting

If you use the version of Ansible shipped with Ubuntu 16.04 (2.0.0.2-2ubuntu1) and get the error Error was sequence item 0: expected string, dict found then you should install Ansible from the PPA instead. Related to this Ansible PR

What's the difference between ansible-vault and hashi_vault

  • (Ansible Vault) No external dependencies; (hashi_vault) requires hvac
  • (Ansible Vault) Uses the same environment variables as vault itself
  • (Ansible Vault) Quicker update cycle
  • (Ansible Vault) Supports dynamic secrets
  • (Ansible Vault) Supports custom fields

More Repositories

1

yopass

Secure sharing of secrets, passwords and files
TypeScript
1,823
star
2

puppet-anvil

Your private Puppet Forge
Go
39
star
3

url-shortener

Tiny url shortener backed by sqlite
Go
33
star
4

droptoflare

Creates DNS records for your DigitalOcean Droplets in Cloudflare
Ruby
27
star
5

vault-java

Java implementation of the Vault(Hashicorp) API
Java
18
star
6

tutter

Plugin based Github robot
Ruby
15
star
7

python-filebutler

minimalistic file sharing service
Python
14
star
8

jhaals-warranty

Puppet module that provides warranty information for Dell/Lenovo Hardware
Ruby
13
star
9

iptables-etcd

Fetch iptables rules from etcd
Go
8
star
10

puppet-forge-mirror

simple tool that mirrors the Puppet Forge
Ruby
7
star
11

docker-mumble-server

Docker container for Mumble server
Ruby
6
star
12

yopass-cli

CLI for yopass
Ruby
5
star
13

filebutler-upload

filebutler-upload is a lightweight python application that let you upload files to python-filebutler
Python
5
star
14

tutter-sppuppet

tutter action - code review without collaborator access
Ruby
4
star
15

srcpath

Automatically structures your git checkouts, go style ⭐
Go
4
star
16

yaml-parser

YAML validation by parsing
Ruby
4
star
17

servermonitor

Remote Server Surveillance
Python
3
star
18

jhaals-osx_notify

Desktop notifications for Mountain Lion via puppet
Ruby
3
star
19

Bouvet

Bouvet Island
3
star
20

puppetdb-grep

DEPRECATED - Grep for facter fact on all nodes matching your puppetdb query
Python
3
star
21

jhaals-app_inventory

This puppet module provides a software inventory for Mac OS X 10.5+
Ruby
3
star
22

script

random scripts
Python
2
star
23

gohealthy

Library for registering HTTP health checks
Go
2
star
24

SSSBackup

Simple Secure System Backup
Python
2
star
25

hoststat

Monitor hostnames for ip address changes
Go
2
star
26

yopass-next

TypeScript
2
star
27

stash-hook-router

Route Stash pull requests to different scripts
Go
1
star
28

short

Simple URL Shortener
Java
1
star
29

puppet-vagrant

Installs Vagrant via Boxen
Ruby
1
star
30

gopass

simple web service for sharing secrets/passwords
JavaScript
1
star
31

filebutler

compojure experiment
Clojure
1
star
32

chantop

Get Channel statistics from a running gRPC service
Go
1
star
33

urlstat

Monitor URLs for state changes
Go
1
star
34

yopass-java

TEST Implementation of Yopass in Java
Java
1
star
35

ec2-api-tools

Create debian package containing ec2-api-tools
Shell
1
star