Documentation about auth_method
'none' hashi_vault
#396
-
SUMMARY- name: authenticate with vault agent
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/hello:value', auth_method='none', url='http://127.0.0.1:8100') }}"
I'm trying to understand how this works, I'm using vault agent to authenticate but I didn't understand how the I'm studying about the authentication methods, and I think would be nice if exist a way to pass the path of the token file generated by vault agent. ISSUE TYPE
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Hi @Fabiokleis ! The In your above example, it should work as long as your agent is listening on In that mode of operation, nothing running in Ansible needs to retrieve the token at all, because the request will go to the agent with no authentication, and the agent will proxy the request to its upstream Vault server with the token injected, I recommend using the agent in this way, with the The other method you describe, where you want to directly use the token in Ansible, by reading it from the agent's token sink, is also possible, but not with the You could look up the value yourself. You can use the But the An example using the token method might be like this: - name: authenticate with vault agent
vars:
ansible_hashi_vault_url: https://vault
ansible_hashi_vault_auth_method: token
ansible_hashi_vault_token_path: /tmp
ansible_hashi_vault_token_file: token_file_name
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.vault_kv1_get', 'secret/hello').secret.value }}" Note that I'm using I also used a lookup because your original example did, but we have modules now too, and there are some good reasons to use modules instead of lookups, there's more information on that here: |
Beta Was this translation helpful? Give feedback.
Hi @Fabiokleis ! The
none
auth method is useful when you want to Vault agent as the HTTP host, using it as an API proxy, in combination with auto-auth.In your above example, it should work as long as your agent is listening on
http://127.0.0.1:8100
.In that mode of operation, nothing running in Ansible needs to retrieve the token at all, because the request will go to the agent with no authentication, and the agent will proxy the request to its upstream Vault server with the token injected,
I recommend using the agent in this way, with the
none
authentication type, unless you cannot run agent as a proxy for some reason.The other method you describe, where you want to directly use the t…