Configure KV1 modules

If you are using KV1 with community.hashi_vault collection, configure the corresponding modules in the hashicorp.vault collection.

Configure the hashicorp.vault.kv1_secret module
Copy link

Configuring this module is not required, but you can configure the defaults if needed after the migration.

Procedure
Copy link

Configuring this module is not required for migration because there are no corresponding modules in community.hashi_vault. However, you might want to configure something other than the defaults for auth_method and state after the migration. You can use the examples on Ansible automation hub for reference.

Configure the hashicorp.vault.kv1_secret_info module
Copy link

The hashicorp.vault.kv1_secret_info module reads KV1 secrets.

About this task
Copy link

The corresponding community.hashi_vault modules are:

  • community.hashi_vault.vault_kv1_get: Retrieves secrets from the HashiCorp Vault KV version 1 secret store.
  • community.hashi_vault.vault_kv1_get lookup: Retrieves secrets from the HashiCorp Vault KV version 1 secret store.

Procedure
Copy link

  1. Replicate the community.hashi_vault modules to the following hashicorp.vault.kv1_secret_secret_info parameters. 
      engine_mount_point:
    description: KV secrets engine mount point.
    default: secret
    type: str
    aliases: [secret_mount_path]
  path:
    description:
      - Specifies the path of the secret.
    required: true
    type: str
    aliases: [secret_path]
extends_documentation_fragment:
  - hashicorp.vault.vault_auth.modules
  2. (Required) Configure the path parameter. This is the path to the secret in the community.hashi_vault.hashi_vault modules. Alias:secret_path
  3. If needed, configure the optional parameters.

What to do next
Copy link

Configure the hashicorp.vault.kv1_secret_get lookup plugin
Copy link

The hashicorp.vault.kv1_secret_get lookup plugin module reads KV1 secrets.

About this task
Copy link

The corresponding community.hashi_vault modules are:

  • community.hashi_vault.hashi_vault: Retrieves secrets from HashiCorp Vault.
  • community.hashi_vault.vault_kv1_get lookup: Gets secrets from the HashiCorp Vault KV version 1 secret store.

Procedure
Copy link

  1. Replicate the community.hashi_vault modules to the following hashicorp.vault.kv1_secret_get parameters. 
    auth_method:
  description: Authentication method to use.
  choices: ['token', 'approle']
  default: token
  type: str
engine_mount_point:
  description:
    - The KV secrets engine mount point.
  default: secret
  type: str
  aliases: ['mount_point', 'secret_mount_path']
secret:
  description:
    - The Vault path to the secret being requested.
  required: true
  type: str
  aliases: ['secret_path']
  2. (Required) Configure the secret parameter. This maps to secret in the community.hashi_vault.hashi_vault modules. Alias:secret_path
  3. If needed, configure the optional parameters.

What to do next
Copy link

Example: hashicorp.vault.kv1_secret_info module
Copy link

The following migration example shows before and after configurations for the hashicorp.vault.kv1_secret_info module.

Example:

Before (community.hashi_vault)

- name: Read a kv1 secret from Vault (community collection)
  community.hashi_vault.vault_kv1_get:
    url: https://vault:8201
    token: "{{ vault_token }}"
    path: hello
  register: response

After (hashicorp.vault)

- name: Read a kv1 secret from Vault (hashicorp.vault collection)
  hashicorp.vault.kv1_secret_info:
    url: https://vault.example.com:8201
    token: "{{ vault_token }}"
    path: sample

Example: hashicorp.vault.kv1_secret_get lookup
Copy link

The following migration example shows the KV1 secret get lookup.

Example:

Before (community.hashi_vault)

- name: Retrieve a secret from the Vault
  ansible.builtin.debug:
    msg: "{{ lookup('community.hashi_vault.vault_kv1_get', 'hello', url='https://vault:8201') }}"

After (hashicorp.vault)

- name: Retrieve a secret from the Vault
  ansible.builtin.debug:
    msg: "{{ lookup('hashicorp.vault.kv1_secret_get',
                    secret='hello',
                    url='https://myvault_url:8201') }}"