Ansible Modules for Hashicorp Vault
Project description
Ansible modules for Hashicorp Vault.
Usage
The following example writes the giant secret with two values and then reads the fie value:
--- - hosts: localhost vars: foo_value: 'fum' fie_value: 'fum' tasks: - hashivault_status: register: 'vault_status' - hashivault_write: secret: 'giant' data: foo: '{{foo_value}}' fie: '{{fie_value}}' register: 'vault_write' - hashivault_read: secret: 'giant' key: 'fie' register: 'vault_read'
The lookup plugin:
looky: "{{lookup('hashivault', 'giant', 'foo')}}"
By default, the hashivault_write, hashivault_read and the lookup plugin assume the /secret mount point. If you are accessing another mount point, start the secret with a ‘/’:
--- - hosts: localhost tasks: - hashivault_write: secret: '/stories/stuart' data: last: 'little' - hashivault_read: secret: '/stories/charlotte' key: 'web' - set_fact: book: "{{lookup('hashivault', '/stories/charlotte', 'web')}}"
Get a list of secrets:
--- - hosts: localhost tasks: - hashivault_list: secret: '/stories' register: vault
You may init the vault:
--- - hosts: localhost tasks: - hashivault_init: register: 'vault_init'
You may also seal and unseal the vault:
--- - hosts: localhost vars: vault_keys: "{{ lookup('env','VAULT_KEYS') }}" tasks: - hashivault_status: register: 'vault_status' - block: - hashivault_seal: register: 'vault_seal' when: "{{vault_status.status.sealed}} == False" - hashivault_unseal: keys: '{{vault_keys}}'
Policy support:
--- - hosts: localhost vars: name: 'terry' rules: > path "secret/{{name}}/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "secret/{{name}}" { capabilities = ["list"] } tasks: - hashivault_policy_set: name: "{{name}}" rules: "{{rules}}" register: 'vault_policy_set' - hashivault_policy_get: name: '{{name}}' register: 'vault_policy_get' - hashivault_policy_list: register: 'vault_policy_list'
Add and delete users for userpass:
--- - hosts: localhost vars: username: 'portugal' userpass: 'Th3m@n!!' tasks: - hashivault_userpass_create: name: "{{username}}" pass: "{{userpass}}" policies: "{{username}}" register: 'vault_userpass_create' - hashivault_userpass_delete: name: "{{username}}" register: 'vault_userpass_delete'
Handle auth backends:
--- - hosts: localhost tasks: - hashivault_auth_list: register: 'vault_auth_list' - block: - hashivault_auth_enable: name: "userpass" register: 'vault_auth_enable' when: "'userpass/' not in vault_auth_list.backends"
Handle audit backends:
--- - hosts: localhost tasks: - hashivault_audit_list: register: 'vault_audit_list' - block: - hashivault_audit_enable: name: "syslog" register: 'vault_audit_enable' when: "'syslog/' not in vault_audit_list.backends"
If you are not using the VAULT_ADDR and VAULT_TOKEN environment variables, you may be able to simplify your playbooks with an action plugin. This can be some somewhat similar to this example action plugin.
License
[MIT](https://github.com/TerryHowe/ansible-modules-hashivault/blob/master/LICENSE)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Hashes for ansible-modules-hashivault-3.1.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 399c41a4f7a1efa65f85a068ef1cdd91fa80c4a92e765436f997bb716707aa3d |
|
MD5 | e990742da09d413c9490a9b3d4a8a5d0 |
|
BLAKE2b-256 | 41afd5d2bb34c04f4d29b793ad926412964273a1244bd69ea9c376d6981fc493 |