foreman_vault icon indicating copy to clipboard operation
foreman_vault copied to clipboard

Published 20 hours ago verified publisher icon dm-drogeriemarkt

Support for returning secrets in json/yaml

Open gardar opened this issue 2 years ago • 1 comments

Would it be possible to add support for returning the secrets from the vault_secret macro in a json or yaml format? Or is that something that's out of scope of the plugin and should be handled within foreman/satellite?

I'm trying to use a vault secret as a ansible variable and it would be good if I wouldn't have to parse the ruby hash in the ansible code.

gardar avatar Jun 13 '22 14:06 gardar

Turns out there is already a way to get json/yaml by wrapping the to_json and to_yaml macros around the data returned from the vault plugin.

Few examples:

Using the vault_secret macro directly as a ansible variable override:

<%= vault_secret('MyVault', 'kv2/data/my_secret') %>

"{:data=>{:color=>\"blue\", :number=>\"eleventeen\"}, :metadata=>{:created_time=>\"2022-05-13T14:42:18.949064761Z\", :custom_metadata=>nil, :deletion_time=>\"\", :destroyed=>false, :version=>1}}"

wrapping to_yaml around the macro in the ansible variable

<%= to_yaml(vault_secret('MyVault', 'kv2/data/my_secret')) %>

"---\n:data:\n  :color: blue\n  :number: eleventeen\n:metadata:\n  :created_time: '2022-05-13T14:42:18.949064761Z'\n  :custom_metadata: \n  :deletion_time: ''\n  :destroyed: false\n  :version: 1\n"

But actually those variables are returned as strings so to use them in ansible you have to use ansible filters to get them in a dictionary format in ansible

"{{ my_ansible_variable | from_json }}"
"{{ my_ansible_variable | from_yaml }}"

or set the variable type (Parameter type) in foreman/satellite as yaml/json instead of string, and then ansible recognizes it correctly.

<%= to_yaml(vault_secret('MyVault', 'kv2/data/my_secret')) %>

        "data": {
            "color": "blue", 
            "number": "eleventeen"
        }, 
        "metadata": {
            "created_time": "2022-05-13T14:42:18.949064761Z", 
            "custom_metadata": null, 
            "deletion_time": "", 
            "destroyed": false, 
            "version": 1
        }
    }

Initially I was using the regex_replace ansible filter to convert the ruby hash to json inside a ansible role. I'm sharing it here in case someone finds it useful: https://gist.github.com/gardar/8e17f6bd69f48948ec7701a6f867a210

gardar avatar Jun 13 '22 20:06 gardar