extract hashicorp vault secrets as values in ansible playbook

Question

I am trying to extract specific value from kv2 hashicorp vault in ansible playbook using hashi_vault module

- name: Return specific value from vault
  ansible.builtin.set_fact:
    secret: "{{ lookup('hashi_vault', 'secret=my.secrets/data/dev/heslo:value token=vault-plaintext-root-token url=http://10.47.0.235:8200/')}}"   register: secret

I am getting

 {"msg": ""An unhandled exception occurred while running the lookup plugin 'hashi_vault'. Error was a , original message: The secret my.secrets/data/dev/heslo doesn't seem to exist for hashi_vault lookup"}

Query works for all of the secrets in path using

secret=my.secrets/data/dev/

"heslo" record exists in the path

      "ansible_facts": {
            "secret": {
                "data": {
                    "heslo": "heslo",
                    "password": "test",
                    "username": "ahoj"
                },

Thank you in advance

Matthew Schuchard · Accepted Answer

The syntax for your lookup is for the KV1 engine. We can update it for the KV2 secrets engine:

- name: Return specific value from vault
  ansible.builtin.set_fact:
    secret: "{{ lookup('hashi_vault', 'secret=my.secrets/data/dev token=vault-plaintext-root-token url=http://10.47.0.235:8200/') }}"

The secret fact will then be a dictionary containing all of the key value pairs at the specified secrets path my.secrets/data/dev. You can access the value of the key heslo with the normal syntax secret['heslo'].

Finally, you may also want to update to the Vault collection for Ansible with all of its newer features.

extract hashicorp vault secrets as values in ansible playbook

Answers (1)

Related Questions