0

I have simple playbook where fetching some data from Vault server using curl.

tasks:
    - name: role_id
      shell: 'curl \
             --header "X-Vault-Token: s.ddDblh8DpHkOu3IMGbwrM6Je" \
             --cacert vault-ssl-cert.chained \
             https://active.vault.service.consul:8200/v1/auth/approle/role/cpanel/role-id'
      register: 'vault_role_id'
    - name: test1
      debug:
        msg: "{{ vault_role_id.stdout }}"

The output is like this:

TASK [test1] *********************************************************************************************************************************************************************
ok: [localhost] => {
    "msg": {
        "auth": null,
        "data": {
            "role_id": "65d02c93-689c-eab1-31ca-9efb1c3e090e"
        },
        "lease_duration": 0,
        "lease_id": "",
        "renewable": false,
        "request_id": "8bc03205-dcc2-e388-57ff-cdcaef84ef69",
        "warnings": null,
        "wrap_info": null
    }
}

Everything is ok if I am accessing first level attribute, like .stdout in previous example. I need deeper level attribute to reach, like vault_role_id.stdout.data.role_id. When I try this it is failing with following error:

"The task includes an option with an undefined variable. The error was: 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute 'data'\n\n

Do you have suggestion what I can do to get properly attribute values from deeper level in this object hierarchy?

Miroslav
  • 71
  • 1
  • 3
  • 11
  • Filter the output of curl. For example *curl ... | jq '.'* See [Display curl output in readable JSON format in Unix shell script](https://stackoverflow.com/questions/27238411/display-curl-output-in-readable-json-format-in-unix-shell-script). – Vladimir Botka Oct 23 '20 at 20:41
  • I have tried, but no better. Without filtering I do also have json format output, as I pasted above. But, for some reason can not reach attributes from dipper level in object structure then the first level, which is .stdout in my example... – Miroslav Oct 24 '20 at 10:16

1 Answers1

1

"The task includes an option with an undefined variable. The error was: 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute 'data'\n\n

Yes, because what's happening is that rendering it into msg: with {{ is coercing the JSON text into a python dict; if you do want it to be a dict, then use either msg: "{{ (vault_role_id.stdout | from_json).data.role_id }}" or you can use set_fact: {vault_role_data: "{{vault_role_id.stdout}}"} and then vault_role_data will be a dict for the same reason it was coerced by your msg

You can see the opposite process by prefixing the msg with any characters:

- name: this one is text
  debug:
    msg: vault_role_id is {{ vault_role_id.stdout }}
- name: this one is coerced
  debug:
    msg: '{{ vault_role_id.stdout }}'

while this isn't what you asked, you should also add --fail to your curl so it exists with a non-zero return code if the request returns non-200-OK, or you can use the more ansible-y way via - uri: and set the return_content: yes parameter

mdaniel
  • 31,240
  • 5
  • 55
  • 58
  • Thank you mdaniel, it works great. I was about to use uri, but faced the problem with validation ssl certs, which I do not know how to deal with. With curl certs verification works fine - probably because it is not using python. SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123) – Miroslav Oct 25 '20 at 15:58
  • They have an option to [suppress cert validation](https://docs.ansible.com/ansible/2.10/collections/ansible/builtin/uri_module.html#parameter-validate_certs), but yes, I presume actually trusting the Vault self-signed would require informing python that it is trusted – mdaniel Oct 25 '20 at 20:35
  • Yes, there is such option. And yes, It's Vault self-signed cert. I believe that you are right again when say that it would require informing python that it is trusted. I will test this with non-Vault, but regular, generally trusted certs. Thank you man! – Miroslav Oct 25 '20 at 21:38