--- - name: Vault hosts: localhost # become: true gather_facts: false # apt-get install sshpass # # # # @author Stéphane Gratias (2021). # pre_tasks: # "{{ lookup('hashi_vault', 'secret=apps/data/my-app token=s.7z1Vxxx url=https://vault.kar.int')['data']['username'] }}" # pip install hvac # https://open-amt-cloud-toolkit.github.io/docs/2.0/Docker/dockerLocal_prodVault/ # https://elatov.github.io/2022/01/using-hashicorp-vault-with-ansible/ # vault secrets enable -path=apps kv-v2 # vault kv get apps/my-app # vault token create -explicit-max-ttl=8760h -policy=test -ttl=720h -renewable=true -display-name=test # - ansible.builtin.debug: # msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/apps/my-app:test token= url=http://myvault:8200') }}" # - name: Return all secrets from a path # delegate_to: localhost # vars: # # ansible_hashi_vault_url: 'https://myvault:8282' # # ansible_hashi_vault_auth_method: ldap # ansible.builtin.debug: # msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/kv/data/test token= url=https://pwd.jingoh.fr') }}" # - name: Vault that requires authentication via LDAP # vars: # ansible_hashi_vault_url: 'https://myvault:8282' # ansible_hashi_vault_auth_method: ldap # ansible_hashi_vault_mount_point: ldap # ansible_hashi_vault_username: lbouvier@jingoh.fr # ansible_hashi_vault_password: ptoto # ansible.builtin.debug: # msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/kv/data/test url=https://pwd.jingoh.fr auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto') }}" # ! local mac os : export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES # - name: Vault that requires authentication via LDAP # vars: # ansible_hashi_vault_url: 'https://pwd.jingoh.fr' # ansible_hashi_vault_auth_method: ldap # ansible_hashi_vault_mount_point: ldap # ansible_hashi_vault_username: lbouvier@jingoh.fr # ansible_hashi_vault_password: ptoto # ansible.builtin.debug: # msg: "{{ lookup('community.hashi_vault.vault_list', 'secret=/kv/test') }}" - name: Login and use the resulting token community.hashi_vault.vault_login: url: https://pwd.jingoh.fr auth_method: userpass username: lbouvier@jingoh.fr password: ptoto register: login_data - name: Vault that requires authentication via LDAP ansible.builtin.debug: msg: "{{ lookup('community.hashi_vault.hashi_vault', '/kv/data/test auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto url=https://pwd.jingoh.fr') }}" - name: List kv2 secrets from Vault via the remote host with userpass auth community.hashi_vault.vault_list: url: 'https://pwd.jingoh.fr' path: /kv/data/test # For kv2, the path needs to follow the pattern 'mount_point/metadata' or 'mount_point/metadata/path' to list all secrets in that path auth_method: ldap username: lbouvier@jingoh.fr password: ptoto register: secret - name: Display the secrets found at the path provided above ansible.builtin.debug: msg: "{{ secret.data.data['keys'] }}" # Note that secret.data.data.keys won't work as 'keys' is a built-in method - name: List access policies from Vault via the remote host community.hashi_vault.vault_list: url: 'https://pwd.jingoh.fr' path: sys/policies/acl register: policies - name: Display the policy names ansible.builtin.debug: msg: "{{ policies.data.data['keys'] }}" # Note that secret.data.data.keys won't work as 'keys' is a built-in method # url=https://pwd.jingoh.fr auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto