lookup hashi_vault: Add Vault App role in auth_method (#22403)

Provide Vault App role method to the lookup.

https://www.vaultproject.io/docs/auth/approle.html

Usage :

`{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}`

You can skip `role_id` and `secret_id` if you set `VAULT_ROLE_ID` and `VAULT_SECRET_ID` environment variables.
This commit is contained in:
Gaël Lambert 2017-12-14 20:25:05 +01:00 committed by Adam Miller
parent 6cb388a98a
commit 82949f6e6f

View file

@ -33,6 +33,14 @@ DOCUMENTATION = """
description: authentication user name
password:
description: authentication password
role_id:
description: Role id for a vault AppRole auth
env:
- name: VAULT_ROLE_ID
secret_id:
description: Secret id for a vault AppRole auth
env:
- name: VAULT_SECRET_ID
auth_method:
description: authentication method used
mount_point:
@ -65,6 +73,10 @@ EXAMPLES = """
- name: using certificate auth
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}"
- name: authenticate with a Vault app role
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
"""
RETURN = """
@ -185,6 +197,17 @@ class HashiVault:
else:
return False
def auth_approle(self, **kwargs):
role_id = kwargs.get('role_id', os.environ.get('VAULT_ROLE_ID', None))
if role_id is None:
raise AnsibleError("Authentication method app role requires a role_id")
secret_id = kwargs.get('secret_id', os.environ.get('VAULT_SECRET_ID', None))
if secret_id is None:
raise AnsibleError("Authentication method app role requires a secret_id")
self.client.auth_approle(role_id, secret_id)
class LookupModule(LookupBase):
def run(self, terms, variables, **kwargs):