Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
Chapter 2. Vault integration
2.1. About the Vault integration
The integration of Red Hat Ansible Automation Platform and IBM HashiCorp Vault provides fully automated lifecycle management for Vault.
2.1.1. Introduction
Vault lets you centrally store and manage secrets securely. The Ansible Automation Platform certified hashicorp.vault collection provides fully automated lifecycle and operation management for Vault. You can create, update, and delete secrets through playbooks.
-
Existing
community.hashi_vaultusers: Thehashicorp.vaultsolution is intended to replace unsupportedcommunity.hashi_vaultcollection. Use the migration path to keep your existing playbooks. For more information about migrating, see Migrating fromcommunity.hashi_vault. -
New Vault users: The
hashicorp.vaultcollection is included in the supported execution environment from automation hub.
Although the hashicorp.vault and hashi.terraform collections work independently of each other and are designed for different tasks, you can use them together in advanced workflows.
2.2. Authenticating to hashicorp.vault
After you install or migrate to the hashicorp.vault collection, authentication is configured in the Ansible Automation Platform user interface. An administrator creates a custom credential type to authenticate to Vault. Then users create credentials to use with job templates.
2.2.1. Authentication architecture
The hashicorp.vault collection manages authentication through environment variables and client initialization. This approach enhances security by preventing sensitive credentials from being passed directly as module parameters within playbook tasks.
The hashicorp.vault collection injects credentials into job templates with environment variables, so you get simpler, cleaner task definitions while ensuring that authentication details remain secure.
The following authentication types are supported:
appRole authentication: Use either one of the following methods when using appRole authentication:
-
Set the
VAULT_APPROLE_ROLE_IDandVAULT_APPROLE_SECRET_IDenvironment variables. When you use environment variables, you must also create a custom credential type and credentials that will be passed to the job template. Directly pass the
role_idandsecret_idparameters to the tasks, for example:- name: Create a secret with AppRole authentication hashicorp.vault.kv2_secret: url: https://vault.example.com:8200 auth_method: approle role_id: "{{ vault_role_id }}" secret_id: "{{ vault_secret_id }}" path: myapp/config data: api_key: secret-api-key
-
Set the
Token authentication: Set the
VAULT_TOKENenvironment variable.Optionally, you can configure parameters for the token. If parameters are not provided, then the module uses environment variables.
2.2.2. Creating a custom credential type
As an admin, you create a secure credential type in Ansible Automation Platform, which is used to authenticate to Vault.
You can configure role-based (appRole) authentication or allow users to directly provide a token.
Prerequisites
Do one of the following:
-
New users: Install the Ansible Automation Platform certified
hashicorp.vaultcollection from Automation hub. -
community.hashi_vaultcollection users: Migrate fromcommunity.hashi_vault. For more information, see Migrating fromcommunity.hashi_vault.
Procedure
- Log in to Ansible Automation Platform.
-
From the navigation panel, select
. - Click . The Create Credential Type page opens.
- Enter a name and a description in the corresponding fields.
If you want to configure token authentication for individual users:
For Input configuration, enter:
fields: - id: vault_token type: string label: Hashicorp Vault Token secret: trueFor Injector configuration, enter:
env: VAULT_TOKEN: '{{ vault_token }}'
If you want to configure appRole authentication using
role_idandsecret_id:For Input configuration, enter:
fields: - id: vault_approle_role_id type: string label: Hashicorp Vault appRole Role ID secret: true - id: vault_approle_secret_id type: string label: Hashicorp Vault appRole Secret ID secret: trueFor Injector configuration, enter:
env: VAULT_APPROLE_ROLE_ID: '{{ vault_approle_role_id }}' VAULT_APPROLE_SECRET_ID: '{{ vault_approle_secret_id }}'
- Click .
Next step
Additional resources
2.2.3. Creating a custom credential
Vault users must create a custom credential to use with job templates in Ansible Automation Platform.
Prerequisite
- Your administrator has created a Vault credential type.
Procedure
- Log in to Ansible Automation Platform.
-
From the navigation panel, select
, and then select . - Enter a name and a description in the corresponding fields.
- (Optional) From the Organization list, select an organization.
- From the Credential type list, select a Vault credential type. The fields that display depend on the credential type.
Do one of the following:
- For the token authentication, add your Vault token and edit any fields as needed.
- For the appRole authentication method, enter the IDs in the appRole Role ID and appRole Secret ID fields. Edit any other fields as needed.
- Click . You are ready to use the credential in a job template.
2.3. Migrating from community.hashi_vault
If you are using the community.hashi_vault collection, you can migrate your existing playbooks to the hashicorp.vault collection.
2.3.1. Configuring KV1 modules
If you are using KV1 with community.hashi_vault collection, configure the corresponding modules in the hashicorp.vault collection.
2.3.1.1. Configuring the hashicorp.vault.kv1_secret module
Procedure
-
Configuring this module is not required for migration because there are no corresponding modules in
community.hashi_vault. However, you might want to configure something other than the defaults forauth_methodandstateafter the migration. You can use the examples on Ansible automation hub for reference.
2.3.1.2. Configuring the hashicorp.vault.kv1_secret_info module
The hashicorp.vault.kv1_secret_info module reads KV1 secrets.
The corresponding community.hashi_vault modules are:
-
community.hashi_vault.vault_kv1_get: Retrieves secrets from the HashiCorp Vault KV version 1 secret store. -
community.hashi_vault.vault_kv1_get lookup: Retrieves secrets from the HashiCorp Vault KV version 1 secret store.
Procedure
Replicate the
community.hashi_vault modulesto the followinghashicorp.vault.kv1_secret_secret_infoparameters.engine_mount_point: description: KV secrets engine mount point. default: secret type: str aliases: [secret_mount_path] path: description: - Specifies the path of the secret. required: true type: str aliases: [secret_path] extends_documentation_fragment: - hashicorp.vault.vault_auth.modules-
(Required) Configure the
pathparameter. This is the path to the secret in thecommunity.hashi_vault.hashi_vaultmodules. Alias:secret_path - If needed, configure the optional parameters.
2.3.1.3. Configuring the hashicorp.vault.kv1_secret_get lookup plugin
The hashicorp.vault.kv1_secret_get lookup plugin module reads KV1 secrets.
The corresponding community.hashi_vault modules are:
-
community.hashi_vault.hashi_vault: Retrieves secrets from HashiCorp Vault. -
community.hashi_vault.vault_kv1_get lookup: Gets secrets from the HashiCorp Vault KV version 1 secret store.
Procedure
Replicate
the community.hashi_vaultmodules to the followinghashicorp.vault.kv1_secret_getparameters.auth_method: description: Authentication method to use. choices: ['token', 'approle'] default: token type: str engine_mount_point: description: - The KV secrets engine mount point. default: secret type: str aliases: ['mount_point', 'secret_mount_path'] secret: description: - The Vault path to the secret being requested. required: true type: str aliases: ['secret_path']-
(Required) Configure the secret parameter. This maps to secret in the
community.hashi_vault.hashi_vaultmodules. Alias:secret_path - If needed, configure the optional parameters.
Next step
2.3.1.4. Migration example for the hashicorp.vault.kv1_secret_info module
The following example shows before and after configurations for the hashicorp.vault.kv1_secret_info module.
Example:
Before (community.hashi_vault)
- name: Read a kv1 secret from Vault (community collection)
community.hashi_vault.vault_kv1_get:
url: https://vault:8201
token: "{{ vault_token }}"
path: hello
register: responseAfter (hashicorp.vault)
- name: Read a kv1 secret from Vault (hashicorp.vault collection)
hashicorp.vault.kv1_secret_info:
url: https://vault.example.com:8201
token: "{{ vault_token }}"
path: sample2.3.1.5. Migration example for the hashicorp.vault.kv1_secret_get lookup
The following example shows the KV1 secret get lookup.
Example:
Before (community.hashi_vault)
- name: Retrieve a secret from the Vault
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.vault_kv1_get', 'hello', url='https://vault:8201') }}"After (hashicorp.vault)
- name: Retrieve a secret from the Vault
ansible.builtin.debug:
msg: "{{ lookup('hashicorp.vault.kv1_secret_get',
secret='hello',
url='https://myvault_url:8201') }}"2.3.2. Configuring KV2 modules
If you are using KV2 with community.hashi_vault collection, configure the corresponding modules in the hashicorp.vault collection.
2.3.2.1. Configuring the hashicorp.vault.kv2_secret module
The hashicorp.vault.kv2_secret module performs Create, Update, and Delete (CRUD) operations on KV2 secrets through a unified interface.
The corresponding community.hashi_vault modules are:
-
community.hashi_vault.vault_kv2_write- Write KV2 secrets. -
community.hashi_vault.vault_kv2_delete- Delete KV2 secrets.
Prerequisites
-
Install the Ansible Automation Platform certified
hashicorp.vaultcollection.
Procedure
Replicate your automation tasks from both of the
community.hashi_vaultmodules to the followinghashicorp.vault.kv2_secretparameters. Thehashicorp.vault.kv2_secretparameters are similar tocommunity.hashi_vault.auth_method: description: Authentication method to use type: str choices: [token, approle] default: token required: false cas: description: Perform a check-and-set operation. type: int required: false data: description: KV2 secret data to write. type: dict required: true engine_mount_point: description: The path where the secret backend is mounted. type: str default: secret required: false aliases: [secret_mount_path] namespace: description: Vault namespace where secrets reside. type: str default: admin aliases: [vault_namespace] path: description: Vault KVv2 path to be written to. type: str required: true aliases: [secret_path] url: description: URL of the Vault service type: str aliases: [vault_address] required: true versions: description: One or more versions of the secret to delete. type: list of int required: false state: description: Desired state of the secret type: str choices: [present, absent] default: presentYou must add the
stateparameter to thehashicorp.vault.kv2_secretmodule, as shown above. Valid options are:-
present: This is the equivalent ofcreateorupdatein thecommunity.hashi_vault.vault_kv2modules. -
absent: This is the equivalent ofdelete secretin thecommunity.hashi_vault.vault_kv2modules.
-
2.3.2.2. Configuring the hashicorp.vault.kv2_secret_info module
The hashicorp.vault.kv2_secret_info module reads KV2 secrets.
The corresponding community.hashi_vault module is:
-
community.hashi_vault.vault_kv2_get: Gets secrets from the HashiCorp Vault KV version 2 secret store.
Procedure
Replicate the
community.hashi_vaultmodules to the followinghashicorp.vault.kv2_secret_infoparameters.engine_mount_point: description: KV secrets engine mount point. default: secret type: str aliases: [secret_mount_path] path: description: Path to the secret. required: true type: str aliases: [secret_path] version: description: The version to retrieve. type: int extends_documentation_fragment: - hashicorp.vault.vault_auth.modulesConfigure the required parameters:
-
path: The path where the secret is located in the community.hashi_vault.hashi_vaultmodules. Alias:secret_path -
url: Maps tourlin thecommunity.hashi_vault.hashi_vaultmodules. Uses the same aliases asvault_address.
-
- If needed, configure the optional parameters.
2.3.2.3. Configuring the hashicorp.vault.kv2_secret_get lookup plugin
The hashicorp.vault.kv2_secret_get lookup plugin module reads KV2 secrets.
The corresponding community.hashi_vault modules are:
-
community.hashi_vault.hashi_vault: Retrieves secrets from HashiCorp Vault. -
community.hashi_vault.vault_kv2_getlookup: Gets secrets from the HashiCorp Vault KV version 2 secret store.
Procedure
Replicate the
community.hashi_vaultmodules to the followinghashicorp.vault.kv2_secret_getparameters.auth_method: description: Authentication method to use type: str choices: [token, approle] default: token required: false mount_point: description: Vault mount point type: str required: false aliases: [secret_mount_path] namespace: description: Vault namespace where secrets reside. type: str default: admin aliases: [vault_namespace] secret: description: Vault path to the secret being requested in the format path[:field] type: str required: true aliases: [secret_path] url: description: URL of the Vault service type: str aliases: [vault_address] required: true version: description: Specifies the version to return. If not set the latest is returned. type: int required: falseUse the following guidance to configure the
hashicorp.vault.kv2_secret_getparameters:-
auth_method: Maps identically toauth_methodin thecommunity.hashi_vault.hashi_vaultmodules. -
mount_point: Maps tomount_pointin thecommunity.hashi_vault.hashi_vaultmodules. Alias:secret_mount_path. -
namespace: Maps tonamespacein thecommunity.hashi_vault.hashi_vaultmodules. Alias:vault_namespace. -
secret: Maps tosecretin thecommunity.hashi_vault.hashi_vaultmodules. -
url: Maps tourlin thecommunity.hashi_vault.hashi_vaultmodules. Uses the same aliases asvault_address. -
version: Maps identically toversionin thecommunity.hashi_vault.hashi_vaultmodules.
-
Next step
2.3.2.4. Migration examples for the hashicorp.vault.kv2_secret module
The following examples show basic before and after configurations for the hashicorp.vault.kv2_secret module.
KV2 delete operations are soft-delete.
Example 1: Basic Secret Write/Create
Before (community.hashi_vault):
- name: Write/create a secret
community.hashi_vault.vault_kv2_write:
url: https://vault:8200
path: hello
data:
foo: bar
After (hashicorp.vault):
- name: Write/create a secret
hashicorp.vault.kv2_secret:
url: https://vault:8200
path: hello
data:
foo: barExample 2: Basic Secret Delete
Before (community.hashi_vault):
- name: Delete the latest version of the secret/mysecret secret.
community.hashi_vault.vault_kv2_delete:
url: https://vault:8201
path: secret/mysecret
After (hashicorp.vault):
- name: Delete the latest version of the secret/mysecret secret.
hashicorp.vault.kv2_secret:
url: https://vault:8201
path: secret/mysecret
state: absentExample 3: Secret Delete - specific version
Before (community.hashi_vault):
- name: Delete versions 1 and 3 of the secret/mysecret secret.
community.hashi_vault.vault_kv2_delete:
url: https://vault:8201
path: secret/mysecret
versions: [1, 3]
After (hashicorp.vault):
- name: Delete versions 1 and 3 of the secret/mysecret secret.
hashicorp.vault.kv2_secret:
url: https://vault:8201
path: secret/mysecret
versions: [1, 3]
state: absent2.3.2.5. Migration examples for the hashicorp.vault.kv2_secret_info module
The following examples show before and after configurations for the hashicorp.vault.kv2_secret_info module.
Example 1: Read a secret with token authentication
Before (community.hashi_vault)
- name: Read the latest version of a kv2 secret from Vault community.hashi_vault.vault_kv2_get:
url: https://vault.example.com:8200
token: "{{ vault_token }}"
path: myapp/config
register: responseAfter (hashicorp.vault)
- name: Read a secret with token authentication
hashicorp.vault.kv2_secret_info:
url: https://vault.example.com:8200
token: "{{ vault_token }}"
path: myapp/configExample 2: Read a secret with a specific version
Before (community.hashi.vault)
- name: Read version 5 of a secret from kv2
community.hashi_vault.vault_kv2_get:
url: https://vault.example.com:8200
path: myapp/config
version: 5After (hashicorp.vault)
- name: Read a secret with a specific version
hashicorp.vault.kv2_secret_info:
url: https://vault.example.com:8200
path: myapp/config
version: 12.3.2.6. Migration examples for the hashicorp.vault.kv2_secret_get lookup
The following example shows the KV2 secret get lookup for retrieving the latest version.
Example:
Before (community.hashi_vault)
- name: Return latest KV v2 secret from path
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/hello
token=my_vault_token
url=http://myvault_url:8200') }}"
After (hashicorp.vault)
name: Return latest KV v2 secret from path
ansible.builtin.debug:
msg: "{{ lookup('hashicorp.vault.kv2_secret_get', 'secret=secret/data/hello
url=http://myvault_url:8200') }}"
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}