Use Hashicorp Vault with Ansible - plugin setup

ansible hashicorp-vault
RedAnsible picture RedAnsible · Dec 29, 2016 · Viewed 7.8k times · Source

I want to use Hashicorp Vault with Ansible to retrieve username/password which I will use in Ansible playbook.

Vault is setup - I created a secret. What are the steps to integrate both? the documentation around plugins isn't that great. I tried the file lookup from ansible and this works but how to use 3rd party plugins? Can somebody help me with the steps to follow?

  1. Install the plugin, pip install ansible-modules-hashivault
  2. What is the difference with https://github.com/jhaals/ansible-vault
    2.a The environment variables (VAULT ADDR & VAULT TOKEN) I put where?
  3. Change ansible.cfg to point to vault.py which is located in "plugin" folder of my Ansible Project

  4. To test basic integration, can I use the following playbook? https://pypi.python.org/pypi/ansible-modules-hashivault

    - hosts: localhost
    -tasks:
       - hashivault_status:
         register: 'vault_status'

Tried this but I get:

An exception occurred during task execution. The full traceback is:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 119, in run
    res = self._execute()
  File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 431, in _execute
    self._task.post_validate(templar=templar)
  File "/usr/lib/python2.7/site-packages/ansible/playbook/task.py", line 248, in post_validate
    super(Task, self).post_validate(templar)
  File "/usr/lib/python2.7/site-packages/ansible/playbook/base.py", line 371, in post_validate
    value = templar.template(getattr(self, name))
  File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 359, in template
    d[k] = self.template(variable[k], preserve_trailing_newlines=preserve_trailing_newlines, fail_on_undefined=fail_on_undefined, overrides=overrides)
  File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 331, in template
    result = self._do_template(variable, preserve_trailing_newlines=preserve_trailing_newlines, escape_backslashes=escape_backslashes, fail_on_undefined=fail_on_undefined, overrides=overrides)
  File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 507, in _do_template
    res = j2_concat(rf)
  File "<template>", line 8, in root
  File "/usr/lib/python2.7/site-packages/jinja2/runtime.py", line 193, in call
    return __obj(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 420, in _lookup
    instance = self._lookup_loader.get(name.lower(), loader=self._loader, templar=self)
  File "/usr/lib/python2.7/site-packages/ansible/plugins/__init__.py", line 339, in get
    self._module_cache[path] = self._load_module_source('.'.join([self.package, name]), path)
  File "/usr/lib/python2.7/site-packages/ansible/plugins/__init__.py", line 324, in _load_module_source
    module = imp.load_source(name, path, module_file)
  File "/etc/ansible/ProjectA/lookup_plugins/vault.py", line 5
    <!DOCTYPE html>
    ^
SyntaxError: invalid syntax

fatal: [win01]: FAILED! => {
    "failed": true,
    "msg": "Unexpected failure during module execution.",
    "stdout": ""

Answer

techraf picture techraf · Dec 29, 2016

Since you put so many eggs into the post, that I have no clue what the question is really about, here's something to get you going with the native lookup plugin and jhaals/ansible-vault.

  • you can create lookup_plugins in the current directory and save vault.py inside;

  • the VAULT_ADDR and VAULT_TOKEN environment variables are as you see them in the script;

The Bash script below (it uses screen and jq, you might need to install them) runs Vault in dev mode, sets the secret, and runs Ansible playbook which queries the secret with two lookup plugins:

#!/bin/bash
set -euo pipefail

export VAULT_ADDR=http://127.0.0.1:8200

if [[ ! $(pgrep -f "vault server -dev") ]]; then
    echo \"vault server -dev\" not running, starting...
    screen -S vault -d -m vault server -dev
    printf "sleeping for 3 seconds\n"
    sleep 3
else
    echo \"vault server -dev\" already running, leaving as is...
fi

vault write secret/hello value=world excited=yes
export VAULT_TOKEN=$(vault token-create -format=json | jq -r .auth.client_token)
ansible-playbook playbook.yml --extra-vars="vault_token=${VAULT_TOKEN}"

and playbook.yml:

---
- hosts: localhost
  connection: local
  tasks:
    - name: Retrieve secret/hello using native hashi_vault plugin
      debug: msg="{{ lookup('hashi_vault', 'secret=secret/hello token={{ vault_token }} url=http://127.0.0.1:8200') }}"

    - name: Retrieve secret/hello using jhaals vault lookup
      debug: msg="{{ lookup('vault', 'secret/hello') }}"

In the end you should get:

TASK [Retrieve secret/hello using native hashi_vault plugin] *******************
ok: [localhost] => {
    "msg": "world"
}

TASK [Retrieve secret/hello using jhaals vault lookup] *************************
ok: [localhost] => {
    "msg": {
        "excited": "yes",
        "value": "world"
    }
}

The word world was fetched from Vault.

Related questions

How to create a directory using Ansible

How do you create a directory www at /srv on a Debian-based system using an Ansible playbook?

Read More
How can I pass variable to ansible playbook in the command line?

I'm new to ansible and wonder how to do so as the following didn't work ansible-playbook -i '10.0.0.1,' yada-yada.yml --tags 'loaddata' django_fixtures="tile_colors" Where django_fixtures is my variable.

Read More
Ansible: How to delete files and folders inside a directory?

The below code only deletes the first file it gets inside the web dir. I want to remove all the files and folders inside the web directory and retain the web directory. How can I do that? - name: remove …

Read More