lookup hashi_vault: Add Vault App role in auth_method (#22403)
Provide Vault App role method to the lookup. https://www.vaultproject.io/docs/auth/approle.html Usage : `{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}` You can skip `role_id` and `secret_id` if you set `VAULT_ROLE_ID` and `VAULT_SECRET_ID` environment variables.
This commit is contained in:
parent
6cb388a98a
commit
82949f6e6f
1 changed files with 23 additions and 0 deletions
|
@ -33,6 +33,14 @@ DOCUMENTATION = """
|
|||
description: authentication user name
|
||||
password:
|
||||
description: authentication password
|
||||
role_id:
|
||||
description: Role id for a vault AppRole auth
|
||||
env:
|
||||
- name: VAULT_ROLE_ID
|
||||
secret_id:
|
||||
description: Secret id for a vault AppRole auth
|
||||
env:
|
||||
- name: VAULT_SECRET_ID
|
||||
auth_method:
|
||||
description: authentication method used
|
||||
mount_point:
|
||||
|
@ -65,6 +73,10 @@ EXAMPLES = """
|
|||
- name: using certificate auth
|
||||
debug:
|
||||
msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}"
|
||||
|
||||
- name: authenticate with a Vault app role
|
||||
debug:
|
||||
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
|
||||
"""
|
||||
|
||||
RETURN = """
|
||||
|
@ -185,6 +197,17 @@ class HashiVault:
|
|||
else:
|
||||
return False
|
||||
|
||||
def auth_approle(self, **kwargs):
|
||||
role_id = kwargs.get('role_id', os.environ.get('VAULT_ROLE_ID', None))
|
||||
if role_id is None:
|
||||
raise AnsibleError("Authentication method app role requires a role_id")
|
||||
|
||||
secret_id = kwargs.get('secret_id', os.environ.get('VAULT_SECRET_ID', None))
|
||||
if secret_id is None:
|
||||
raise AnsibleError("Authentication method app role requires a secret_id")
|
||||
|
||||
self.client.auth_approle(role_id, secret_id)
|
||||
|
||||
|
||||
class LookupModule(LookupBase):
|
||||
def run(self, terms, variables, **kwargs):
|
||||
|
|
Loading…
Reference in a new issue