Automating Hashicorp Vault Secrets Retrieval with Ansible

  • role_id: required for initial authentication to Vault to generate the rotoken
  • secret_id: required for initial authentication to Vault to generate the rotoken
  • vault_url: the URL to the Vault
  • auth_method: the approle path if it named something other than ‘approle’
  • vault_namespace: the namespace where secrets are stored
  • kv_version: either 1 or 2 depending on what option was chose when the KV (Key Value) storage was setup
  • secret_var: custom variable used to differentiate secrets in case multiple are pulled
  • secrets_path: the path to where the key value pairs are stored. If the KV in Vault is created as version 2, the word data will be added to the path between the secrets engine path and secrets path. In version 1, data will not be added.
#Version 1
secrets_path: kv/test_secret
#Version 2
secrets_path: kv/data/test_secret
Retrieving Approle token using role id and secret id
TASK [debug] *******************************************************************************************************************************************
ok: [localhost] => {
“msg”: {
………
“json”: {
“auth”: {
“accessor”: “i6MYvw2bmAY435XmDl3EMQSR”,
“client_token”: "token_id",
“entity_id”: “c5f749c5-e926–2068–5f09–44103fb9aefc”,
“lease_duration”: 3600,
“metadata”: {
“role_name”: “test_policy”
},
Registering contents of Vault in secrets path
Key Vault Dictionary Retrieval for Version 1
Key Vault Dictionary Retrieval for Version 2
Display the secret value of the key
TASK [debug] *******************************************************************************************************************************************
ok: [localhost] => {
“msg”: “789”
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store