3.4. Retrieving a secret from a standard user vault in IdM using Ansible

Follow this procedure to use an Ansible playbook to retrieve a secret from the user personal vault. In the example used in the procedure below, the idm_user user retrieves a file with sensitive data from a vault of the standard type named my_vault onto an IdM client named host01. idm_user does not have to authenticate when accessing the file. idm_user can use Ansible to retrieve the file from any IdM client on which Ansible is installed.

Prerequisites

You have configured your Ansible control node to meet the following requirements:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
You know the password of idm_user.
idm_user is the owner of my_vault.
idm_user has stored a secret in my_vault.
Ansible can write into the directory on the IdM host into which you want to retrieve the secret.
idm_user can read from the directory on the IdM host into which you want to retrieve the secret.

Procedure

Navigate to the ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```
Open your inventory file and mention, in a clearly defined section, the IdM client onto which you want to retrieve the secret. For example, to instruct Ansible to retrieve the secret onto host01.idm.example.com, enter:
```
[ipahost]
host01.idm.example.com
```

Make a copy of the retrive-data-symmetric-vault.yml Ansible playbook file from the relevant collections directory. Replace "symmetric" with "standard". For example:

$ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/vault/retrive-data-symmetric-vault.yml retrieve-data-standard-vault.yml-copy.yml

Open the retrieve-data-standard-vault.yml-copy.yml file for editing.
Adapt the file by setting the hosts variable to ipahost.
Adapt the file by setting the following variables in the freeipa.ansible_freeipa.ipavault task section:
- Set the ipaadmin_principal variable to idm_user.
- Set the ipaadmin_password variable to the password of idm_user.
- Set the user variable to idm_user.
- Set the name variable to my_vault.
- Set the out variable to the full path of the file into which you want to export the secret.
- Set the state variable to retrieved.
  This the modified Ansible playbook file for the current example:
```
---
- name: Tests
  hosts: ipahost
  gather_facts: false

  tasks:
  - freeipa.ansible_freeipa.ipavault:
      ipaadmin_principal: idm_user
      ipaadmin_password: idm_user_password
      user: idm_user
      name: my_vault
      out: /tmp/password_exported.txt
      state: retrieved
```
Save the file.

Run the playbook:

$ ansible-playbook -v -i inventory retrieve-data-standard-vault.yml-copy.yml

Verification

SSH to host01 as user01:
```
$ ssh user01@host01.idm.example.com
```
View the file specified by the out variable in the Ansible playbook file:
```
$ vim /tmp/password_exported.txt
```

You can now see the exported secret.

For more information about using Ansible to manage IdM vaults and user secrets and about playbook variables, see the README-vault.md Markdown file available in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/ directory and the sample playbooks available in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/vault/ directory.

3.4. Retrieving a secret from a standard user vault in IdM using Ansible

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links