Skip to content

Ansible Secret Lookup#

This example utilizes the community.hashi_vault ansible collection.

Note

See AWX Tower Secret Plugin for a different option strictly for AWX Tower.

See this example terraform repository to setup approle authentication for ansible to connect to vault

If you are running ansible locally and want to retrieve secrets as yourself using your own vault permissions, skip to this section and follow the steps to authenticate as yourself using SAML.

Vault Policies#

Team's are responsible for setting up policies to give ansible access to specific secrets or paths. Use this terrraform or the following CLI commands to setup a role to read any secrets at secret/ansible/*. Depending on which lookup module you use, there are two different paths that will be needed.

Bash
vault policy write approle_ansible_access_policy - <<EOF
# Required path for community.hashi_vault.hashi_vault & Tower HashiCorp Vault Secret Lookup
path "secret/data/ansible/*" {
  capabilities = ["read"]
}

# Required path for community.hashi_vault.vault_kv2_get lookup
path "secret/ansible/*" {
  capabilities = ["read"]
}
EOF

Approle#

In order for ansible to connect to vault, it must authenticate. One option for authentication is approle. To create an approle, run this terrraform or use the following CLI command and associate the policy that you created in the last step:

Bash
vault write auth/approle/role/ansible \
  token_policies="default,approle_ansible_access_policy"

role_id & secret_id#

Ansible will use a role_id & secret_id to authenticate to vault. The example terraform will automatically display the role_id, and you can run terraform output secret_id to obtain the secret_id. For production, the following CLI commands should likely be used instead so the secret_id is not stored to the terraform state.

Bash
# Read role-id
vault read auth/approle/role/ansible/role-id

# Create a secret-id
vault write -f auth/approle/role/ansible/secret-id

Local Ansible Integration#

  1. Install the following pre-requisites

    Bash
    pip install hvac
ansible-galaxy install community.hashi_vault

  2. Set the following environmental variables

    Bash
    export ANSIBLE_HASHI_VAULT_ADDR=https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200
export ANSIBLE_HASHI_VAULT_NAMESPACE=admin/CESI

  3. Determine if you want to use an approle to authenticate, or login as yourself and use your permissions

    Bash
    # Authenticate using approle
export ANSIBLE_HASHI_VAULT_AUTH_METHOD=approle
export ANSIBLE_HASHI_VAULT_ROLE_ID=role_id from previous section
export ANSIBLE_HASHI_VAULT_SECRET_ID=secret_id from previous section

# Authenticate as yourself using saml
vault login --method=saml --namespace=admin
export ANSIBLE_HASHI_VAULT_AUTH_METHOD=token
export ANSILBE_HASHI_VAULT_TOKEN_FILE=~/.vault_token

  4. Use the community.hashi_vault secret lookup. See this example playbook.

AWX Tower Integration#

  1. Navigate to AWX Tower>Credentials>Add

  2. Fill out the following information:

    • Name i.e. secm_hcp_credential
    • Description i.e. Approle for ansible to connect to Vault
    • Organization Your team's AWX Tower organization
    • Credential Type UMN HCP Vault
    • ansible_hashi_vault_role_id role_id retrieved from vault in previous section
    • ansible_hashi_vault_secret_id secret_id retrieved from vault in previous section
    • ansible_hashi_vault_namespace admin/CESI or admin/CESI/subteam (i.e. admin/secm or admin/iam/appsec)

    AWX Tower Vault Credential Setup

  3. Associate that newly created credential to your tower template

    AWX Tower Vault Credential Association

  4. Select the devex-ee Execution Environment for your template (it has the community.hashi_vault collection and other prerequisites)

  5. Use the community.hashi_vault secret lookup. See this example playbook.