Created
November 10, 2024 16:48
-
-
Save ironwolphern/fe82074b4d7042441eabab0f53cabdd8 to your computer and use it in GitHub Desktop.
Ansible Playbook to learn how to use Hashicorp Vault lookups with community.hashi_vault collection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: "Manage HashiCorp Vault with lookups" | |
| hosts: localhost | |
| gather_facts: false | |
| vars: | |
| vault_address: "http://vault.example.local:8200" | |
| vars_prompt: | |
| - name: "hv_user" | |
| prompt: "Enter the HashiCorp Vault username" | |
| private: false | |
| - name: "hv_pass" | |
| prompt: "Enter the HashiCorp Vault password" | |
| private: true | |
| tasks: | |
| - name: "Login to HashiCorp Vault" | |
| ansible.builtin.set_fact: | |
| login: "{{ lookup('community.hashi_vault.vault_login', url=vault_address, | |
| auth_method='userpass', username=hv_user, password=hv_pass) }}" | |
| no_log: true | |
| # To read secrets from hashicorp Vault with Approle, use the role with read permissions: | |
| - name: "Get HashiCorp Vault role ID and secret ID with read permissions" | |
| ansible.builtin.set_fact: | |
| app_id: "{{ lookup('community.hashi_vault.vault_read', 'auth/approle/role/role-name-ro/role-id', | |
| token=login.auth.client_token, url=vault_address) }}" | |
| app_secret: "{{ lookup('community.hashi_vault.vault_write', 'auth/approle/role/role-name-ro/secret-id', | |
| token=login.auth.client_token, url=vault_address) }}" | |
| no_log: true | |
| - name: "Display HashiCorp Vault secrets" | |
| ansible.builtin.debug: | |
| msg: "{{ lookup('community.hashi_vault.hashi_vault', 'example/data/demo:foo', auth_method='approle', | |
| role_id=app_id.data.role_id, secret_id=app_secret.data.secret_id, url=vault_address) }}" | |
| - name: "Display HashiCorp Vault secrets" | |
| ansible.builtin.debug: | |
| msg: "{{ lookup('community.hashi_vault.vault_kv2_get', 'demo', auth_method='approle', engine_mount_point='example', | |
| role_id=app_id.data.role_id, secret_id=app_secret.data.secret_id, url=vault_address).secret['foo'] }}" | |
| # To write secrets to hashicorp Vault with Approle, use the role with write permissions: | |
| - name: "Get HashiCorp Vault role ID and secret ID with write permissions" | |
| ansible.builtin.set_fact: | |
| app_id_rw: "{{ lookup('community.hashi_vault.vault_read', 'auth/approle/role/role-name-rw/role-id', | |
| token=login.auth.client_token, url=vault_address) }}" | |
| app_secret_rw: "{{ lookup('community.hashi_vault.vault_write', 'auth/approle/role/role-name-rw/secret-id', | |
| token=login.auth.client_token, url=vault_address) }}" | |
| no_log: true | |
| - name: "Write secrets to HashiCorp Vault" | |
| ansible.builtin.debug: | |
| msg: "{{ lookup('community.hashi_vault.vault_write', 'example/data/demo', data=secret_data, auth_method='approle', | |
| role_id=app_id_rw.data.role_id, secret_id=app_secret_rw.data.secret_id, url=vault_address) }}" | |
| vars: | |
| secret_data: | |
| data: | |
| foo: bar |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment