Skip to content

Instantly share code, notes, and snippets.

@ironwolphern

ironwolphern/play_demo_vault_modules.yml

Created November 10, 2024 16:55
Show Gist options
  • Save ironwolphern/ab5eee6f80a7afdce9c1e6a98c4f5a92 to your computer and use it in GitHub Desktop.
Save ironwolphern/ab5eee6f80a7afdce9c1e6a98c4f5a92 to your computer and use it in GitHub Desktop.
Download ZIP
Ansible Playbook to learn how to use Hashicorp Vault modules with community.hashi_vault collection
Raw
play_demo_vault_modules.yml
---
- name: "Manage HashiCorp Vault with modules"
hosts: localhost
gather_facts: false
vars:
vault_address: "http://vault.example.local:8200"
vars_prompt:
- name: "hv_user"
prompt: "Enter the HashiCorp Vault username"
private: false
- name: "hv_pass"
prompt: "Enter the HashiCorp Vault password"
private: true
tasks:
- name: "Login to HashiCorp Vault"
community.hashi_vault.vault_login:
url: "{{ vault_address }}"
auth_method: 'userpass'
username: "{{ hv_user }}"
password: "{{ hv_pass }}"
register: login_data
no_log: true
# To read secrets from hashicorp Vault with Approle, use the role with read permissions:
- name: "Get AppRole Role ID from HashiCorp Vault with read permissions"
community.hashi_vault.vault_read:
url: "{{ vault_address }}"
auth_method: token
token: '{{ login_data.login.auth.client_token }}'
path: auth/approle/role/role-name-ro/role-id
register: approle_role_id
no_log: true
- name: "Get AppRole Secret ID from HashiCorp Vault with read permissions"
community.hashi_vault.vault_write:
url: "{{ vault_address }}"
auth_method: token
token: '{{ login_data.login.auth.client_token }}'
path: auth/approle/role/role-name-ro/secret-id
register: approle_secret_id
no_log: true
- name: "Get Secret from HashiCorp Vault"
community.hashi_vault.vault_kv2_get:
url: "{{ vault_address }}"
auth_method: approle
role_id: "{{ approle_role_id.data.data.role_id }}"
secret_id: "{{ approle_secret_id.data.data.secret_id }}"
path: demo
engine_mount_point: example
register: secret_data
no_log: true
- name: "Display secrets"
ansible.builtin.debug:
msg: "{{ secret_data.secret['foo'] }}"
- name: "Get Secret from HashiCorp Vault"
community.hashi_vault.vault_read:
url: "{{ vault_address }}"
auth_method: approle
role_id: "{{ approle_role_id.data.data.role_id }}"
secret_id: "{{ approle_secret_id.data.data.secret_id }}"
path: 'example/data/demo'
register: secret_data_2
no_log: true
- name: "Display secrets"
ansible.builtin.debug:
msg: "{{ secret_data_2.data.data.data['foo'] }}"
# To write secrets to hashicorp Vault with Approle, use the role with write permissions:
- name: "Get AppRole Role ID from HashiCorp Vault with write permissions"
community.hashi_vault.vault_read:
url: "{{ vault_address }}"
auth_method: token
token: '{{ login_data.login.auth.client_token }}'
path: auth/approle/role/role-name-rw/role-id
register: approle_role_id_rw
no_log: true
- name: "Get AppRole Secret ID from HashiCorp Vault with write permissions"
community.hashi_vault.vault_write:
url: "{{ vault_address }}"
auth_method: token
token: '{{ login_data.login.auth.client_token }}'
path: auth/approle/role/role-name-rw/secret-id
register: approle_secret_id_rw
no_log: true
- name: "Write secret to HashiCorp Vault"
community.hashi_vault.vault_kv2_write:
url: "{{ vault_address }}"
auth_method: approle
role_id: "{{ approle_role_id_rw.data.data.role_id }}"
secret_id: "{{ approle_secret_id_rw.data.data.secret_id }}"
engine_mount_point: example
path: demo
data:
foo: "bar"
- name: "Write secret to HashiCorp Vault"
community.hashi_vault.vault_write:
url: "{{ vault_address }}"
auth_method: approle
role_id: "{{ approle_role_id_rw.data.data.role_id }}"
secret_id: "{{ approle_secret_id_rw.data.data.secret_id }}"
path: 'example/data/demo2'
data:
data:
foo2: "barbar"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment