From 82949f6e6f0bb4fad6c5adc10bca7a091daab8ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C3=ABl=20Lambert?= Date: Thu, 14 Dec 2017 20:25:05 +0100 Subject: [PATCH] lookup hashi_vault: Add Vault App role in auth_method (#22403) Provide Vault App role method to the lookup. https://www.vaultproject.io/docs/auth/approle.html Usage : `{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}` You can skip `role_id` and `secret_id` if you set `VAULT_ROLE_ID` and `VAULT_SECRET_ID` environment variables. --- lib/ansible/plugins/lookup/hashi_vault.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/lib/ansible/plugins/lookup/hashi_vault.py b/lib/ansible/plugins/lookup/hashi_vault.py index a32307590f..fd35d406e2 100644 --- a/lib/ansible/plugins/lookup/hashi_vault.py +++ b/lib/ansible/plugins/lookup/hashi_vault.py @@ -33,6 +33,14 @@ DOCUMENTATION = """ description: authentication user name password: description: authentication password + role_id: + description: Role id for a vault AppRole auth + env: + - name: VAULT_ROLE_ID + secret_id: + description: Secret id for a vault AppRole auth + env: + - name: VAULT_SECRET_ID auth_method: description: authentication method used mount_point: @@ -65,6 +73,10 @@ EXAMPLES = """ - name: using certificate auth debug: msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}" + +- name: authenticate with a Vault app role + debug: + msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}" """ RETURN = """ @@ -185,6 +197,17 @@ class HashiVault: else: return False + def auth_approle(self, **kwargs): + role_id = kwargs.get('role_id', os.environ.get('VAULT_ROLE_ID', None)) + if role_id is None: + raise AnsibleError("Authentication method app role requires a role_id") + + secret_id = kwargs.get('secret_id', os.environ.get('VAULT_SECRET_ID', None)) + if secret_id is None: + raise AnsibleError("Authentication method app role requires a secret_id") + + self.client.auth_approle(role_id, secret_id) + class LookupModule(LookupBase): def run(self, terms, variables, **kwargs):