ansible-vault icon indicating copy to clipboard operation
ansible-vault copied to clipboard

Published 20 hours ago verified publisher icon jhaals

Test play using vault plugin fails

Open bru2code opened this issue 7 years ago • 1 comments

Hi,

Trailing this and it seem to be failing with below error message, when using with vault.

script ran snip below

` curl -s -X GET -H "X-Vault-Token:$VAULT_TOKEN"
https://$VAULT_ADDR/v1/secret/hello
| jq .data.bar "baz"

ansible-playbook plugin_test.yml [WARNING]: provided hosts list is empty, only localhost is available

PLAY [localhost] ****************************************************************************************************************************************************************************************************************************

TASK [Get a secret from Vault] ************************************************************************************************************************************************************************************************************** Friday 16 February 2018 12:07:27 +0000 (0:00:00.115) 0:00:00.115 ******* fatal: [localhost]: FAILED! => {"failed": true, "msg": "An unhandled exception occurred while running the lookup plugin 'vault'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Unable to retrieve personal token from vault: unknown url type: v1/auth/approle/login"} [WARNING]: Failure using method (v2_runner_on_failed) in callback plugin (</usr/lib/python2.7/site-packages/ansible/plugins/callback/mail.CallbackModule object at 0x30d9e10>): [Errno 113] No route to host

PLAY RECAP ********************************************************************************************************************************************************************************************************************************** localhost : ok=0 changed=0 unreachable=0 failed=1

`

Playbook

``

  • hosts: localhost connection: local gather_facts: False vars:
    • vault_skip_verify: true tasks:
    • name: Get a secret from Vault debug: msg="{{ lookup('vault', 'secret/hello', 'bar') }}"
    • name: Get a secret from using with_vault debug: msg="{{ item.bar }}" with_vault:
      • secret/hello ``

script with playbook invocation

`` export VAULT_ADDR='vault.apps.ocpt.local' export ANSIBLE_HASHICORP_VAULT_ROLE_ID=${ROLE_ID} echo ${ANSIBLE_HASHICORP_VAULT_ROLE_ID} export ANSIBLE_HASHICORP_VAULT_SECRET_ID=${SECRET_ID} echo ${ANSIBLE_HASHICORP_VAULT_SECRET_ID} curl -s -X POST -H "X-Vault-Token:$VAULT_TOKEN" -d '{"bar":"baz"}'
https://$VAULT_ADDR/v1/secret/hello

curl -s -X GET -H "X-Vault-Token:$VAULT_TOKEN"
https://$VAULT_ADDR/v1/secret/hello
| jq .data.bar

ansible-playbook plugin_test.yml `` Actual curl displays the secret as you can see in error, however the play fails !

bru2code avatar Feb 16 '18 12:02 bru2code

Hi, thanks for submitting this, there's currently no tests for fetching secrets using approle as authentication method. We'll have to add some tests to ensure that it works in it's current form, looks like there's something wrong with how the URL is constructed by reading your error message No route to host

jhaals avatar Mar 27 '18 19:03 jhaals