hashi_vault - Change token_path env var loading precedence (#902)

* Change how vault token is loaded * Add changelog for PR #902 * Update changelogs/fragments/902-hashi_vault-token-path.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/hashi_vault.py Add version_added Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/hashi_vault.py Add version_added Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
2024-09-14 20:13:21 +02:00 · 2020-09-18 15:59:25 -04:00 · 2020-09-18 15:59:25 -04:00 · ba5b86cf4a
commit ba5b86cf4a
parent 1a5702cf21
2 changed files with 15 additions and 1 deletions
--- a/changelogs/fragments/902-hashi_vault-token-path.yml
+++ b/changelogs/fragments/902-hashi_vault-token-path.yml
@ -0,0 +1,5 @@
+minor_changes:
+  - hashi_vault lookup - add ``VAULT_TOKEN_PATH`` as env option to specify ``token_path`` param (https://github.com/ansible-collections/community.general/issues/373).
+  - hashi_vault lookup - add ``VAULT_TOKEN_FILE`` as env option to specify ``token_file`` param (https://github.com/ansible-collections/community.general/issues/373).
+bugfixes:
+  - hashi_vault lookup - ``token_path`` in config file overridden by env ``HOME`` (https://github.com/ansible-collections/community.general/issues/373).
--- a/plugins/lookup/hashi_vault.py
+++ b/plugins/lookup/hashi_vault.py
@ -38,13 +38,17 @@ DOCUMENTATION = """
    token_path:
      description: If no token is specified, will try to read the token file from this path.
      env:
-        - name: HOME
+        - name: VAULT_TOKEN_PATH
+          version_added: 1.2.0
      ini:
        - section: lookup_hashi_vault
          key: token_path
      version_added: '0.2.0'
    token_file:
      description: If no token is specified, will try to read the token from this file in C(token_path).
+      env:
+        - name: VAULT_TOKEN_FILE
+          version_added: 1.2.0
      ini:
        - section: lookup_hashi_vault
          key: token_file
@ -537,6 +541,11 @@ class LookupModule(LookupBase):

    def validate_auth_token(self, auth_method):
        if auth_method == 'token':
+            if not self.get_option('token_path'):
+                # generally we want env vars defined in the spec, but in this case we want
+                # the env var HOME to have lower precedence than any other value source,
+                # including ini, so we're doing it here after all other processing has taken place
+                self.set_option('token_path', os.environ.get('HOME'))
            if not self.get_option('token') and self.get_option('token_path'):
                token_filename = os.path.join(
                    self.get_option('token_path'),