CXM's land

Ansible with HashiCorp Vault

Install New Modules to brew managed python

  • Check Ansible version
1
ansible --version

Cause I use brew to install ansible, the output is:

1
2
3
4
5
6
7
8
9
ansible [core 2.16.8]
  config file = /Users/cxm/.ansible.cfg
  configured module search path = ['/Users/cxm/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible@9/9.6.0_1/libexec/lib/python3.12/site-packages/ansible
  ansible collection location = /Users/cxm/.ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.12.4 (main, Jun  6 2024, 18:26:44) [Clang 15.0.0 (clang-1500.3.9.4)] (/opt/homebrew/Cellar/ansible@9/9.6.0_1/libexec/bin/python)
  jinja version = 3.1.4
  libyaml = True
  • Install new modules to brew managed python

ansible vault depends on hvac module, so we need to install hvac module to ansible managed python.

1
2
3
# Install new modules to brew managed python
# https://stackoverflow.com/questions/24257803/install-new
pip3 install hvac -t /opt/homebrew/Cellar/ansible@9/9.6.0_1/libexec/lib/python3.12/site-packages

Write a playbook

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
---
- name: Tests
  hosts: localhost
  connection: local
  pre_tasks:
    - name: Get Secret
      community.hashi_vault.vault_kv2_get:
        url: "http://cxmhome"
        path: "secret/my-super-secret"
        auth_method: token
        token: "{{ vault_token }}"
      delegate_to: localhost
      register: vault_resp

  tasks:
    - name: Display the results
      ansible.builtin.debug:
        msg:
          - "Secret: {{ vault_resp.secret.password }}"
          - "Data: {{ vault_resp.data }} (contains secret data & metadata in kv2)"
          - "Metadata: {{ vault_resp.metadata }}"
          - "Full response: {{ vault_resp.raw }}"
          - "Value of key 'password' in the secret: {{ vault_resp.secret.password }}"

Reference

Ansible Docs