ansible-modules-hashivault icon indicating copy to clipboard operation
ansible-modules-hashivault copied to clipboard

Published 20 hours ago verified publisher icon TerryHowe

Unintuitive approle features

Open somebadcode opened this issue 3 years ago • 2 comments

Hi!

I'm trying to figure out how to get a token tied to an approle in Ansible that Ansible can use. The documentation is really difficult to understand since each module has many fields and bare bones explanations and no hint on what it looks like when used in realistic scenarios.

Approle usage in Vault is one of the less intuitive things and it becomes less intuitive when I can't find anything in this module that feels like they are connected to how I use the CLI.

I'm trying to replace two tasks that currently use the Vault CLI to obtain a temporary secret and then use that to obtain a token.

They look like something like this:

- local_action: command vault write -f -field=secret_id auth/approle/role/ansible/secret-id
  register: vault_ansible_secret
  
- local_action: "command vault write -field=token auth/approle/login role_id={{ vault_ansible_role_id }} secret_id={{ vault_ansible_secret.stdout }}"
  register: token_task
   
- set_fact:
    ansible_vault_token: "{{ token_task.stdout }}"

The token can then be used in future roles during the play.

What modules are equivalent to those two local tasks? I've looked at the tests and I'm left with even more questions about this. Is there a chance that the documentation can be more descriptive to the extent that it's possible to see the relation between the module and the official Vault documentation on how to do it with the CLI?

somebadcode avatar Mar 11 '21 19:03 somebadcode

The functional tests might be some help on how they are supposed to be used:

https://github.com/TerryHowe/ansible-modules-hashivault/blob/main/functional/test_approle.yml

TerryHowe avatar Mar 12 '21 15:03 TerryHowe

The functional tests might be some help on how they are supposed to be used:

https://github.com/TerryHowe/ansible-modules-hashivault/blob/main/functional/test_approle.yml

From the test cases, I guess that the first local action is done by hashivault_approle_role_secret but the second local action is still a big unknown for me. My guess would be hashivault_approle_role_secret_get but I expect to be able to specify role_id and secret_id somewhere. Am I on the right track? I need to obtain a client token from Vault that is tied to the policies that the approle has been assigned

somebadcode avatar Mar 12 '21 23:03 somebadcode