科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>hashicorp vault - How to use Ansible Automation PlatformPlaybook with HashiVault and an approle - Stack Overflow

    hashicorp vault - How to use Ansible Automation PlatformPlaybook with HashiVault and an approle - Stack Overflow

    programmeradmin4浏览0评论

    Here's what I want to do. I use credentials that I've stored in AAP to access HashiVault, I want to create a playbook that uses those credentials to get what I want from HashiVault.

    But everything I try doesn't work. There is a credential type called HashiCorp Vault Secret Lookup that we tried and doesn't quite work how we want. It only allows us to pull one secret and the way we have it set up we can't use more than one of those type of credentials in our template. The way I have it set up now is I went to credential types and created my own credential that looks like this.

     fields:
 – id: vault_server
   type: string
   label: URL for Vault Server
 – id: vault_role_id
   type: string
   label: Vault AppRole ID
 – id: vault_secret_id
   type: string
   label: Vault Secret ID
   secret: true
  required:
    – vault_server
    – vault_role_id
    – vault_secret_id

    I then went into credentials and created a new credential based on this credential type. It asked me for a role_id and secret_id which I got from my vault server by using

    vault read auth/approle/role/my-role/role-id

    and

    vault write auth/approle/role/my-role/secret-id

    I entered both of those into my credentials and entered in the vault url.

    I then wrote a playbook like this.

    - name: Authenticate with Vault using AppRole
  community.hashi_vault.vault_read:
    url: "{{ vault_url }}"
    auth_method: approle
    role_id: "{{ role_id }}"
    secret_id: "{{ secret_id }}"
    path: "{{ secret_path }}"
    ca_cert: "{{ path_to_cert }}"
  register: secret_data
  delegate_to: localhost

- name: Debug secret response
  debug:
    var: secret_data

    I launch my template and I get Forbidden Permission Denied to Path my/path/in/vault. I do have the right policy which is assigned to my app role which has the correct path.

    path "my/path/in/vault"
{
  capabilities = ["read", "list"]
}

    I'm not sure where else to go from here. If someone can provide any insight I would greatly appreciate it. Or even a different way forward. I have read all the documentation from here

    .4/html/userguide/credential_plugins.html#id7

    Amongst some other posts on Reddit and other forums.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论