0

I used to store ansible_ssh_pass in host_vars, enctypted with ansible-vault, but now i want to move it to hashicorp-vault. I wrote a simple role to get this variable from hashicorp-vault and set it as ansible_ssh_pass, so i can connect to host via it. But unless i do it i can't gather facts, so the only way is to set gather_facts: no and run

- name: Gathering facts
  setup:

at the end of my role. But now i need to change my playbooks and some roles for this. Is there a better way to run role before gathering facts or force Ansible to get variable from hashicorp-vault?

Hella
  • 5
  • 3
  • I am unsure if this can be achieved with a custom plugin in Ansible that precedes fact gathering, so it would likely need to be wrapped around Ansible. For example, executing Ansible within a pipeline would enable pipeline bindings to Vault to pass the value as an input variable to `ansible-playbook`. – Matthew Schuchard Jun 14 '22 at 12:45

1 Answers1

0

It sounds like you should be using the hashi_vault lookup plugin.

For example, you could set in your inventory something like this:

all:
  vars:
    ansible_ssh_pass: "{{ lookup('hashi_vault', 'secret=secret/ssh_password:value' }}
  hosts:
    host1:
    host2:
...

This would require you to have VAULT_ADDR and VAULT_TOKEN set appropriately in your environment.

NB: I don't have a Vault instance to play with, but I do something very similar using the aws_secret lookup.

larsks
  • 277,717
  • 41
  • 399
  • 399
  • This is exactly what i need but i can't get value from vault because `original message: Invalid Hashicorp Vault Token Specified for hashi_vault lookup.`. I tried to provide token either via lookup('hashi_vault', ' token= url=')` or `VAULT_TOKEN` and `VAULT_ADDR `. In both cases the output is the same. – Hella Jun 15 '22 at 10:09
  • 1
    Ok, now i've solved it. Insted of writing args as one argument, i needed to pass it like `lookup('hashi_vault', 'secret=secret/...', validate_certs=False, token='', url='')`. If you get `The secret doesn't seem to exist.` check paths in the ACL policies. Thank you, i got exactly what i needed. – Hella Jun 15 '22 at 11:08