使用Hashicorp Vault with Ansible - 插件安装
我想用Ansible的Hashicorp Vault来检索我将在Ansible playbook中使用的用户名/密码。使用Hashicorp Vault with Ansible - 插件安装
保险柜设置 - 我创建了一个秘密。整合两者的步骤是什么?围绕插件的文档并不是那么好。我尝试从ansible和这个作品的文件查找,但如何使用第三方插件?有人可以帮助我遵循以下步骤吗?
- 安装插件,
pip install ansible-modules-hashivault
- 有什么用https://github.com/jhaals/ansible-vault
2.a的环境变量(VAULT ADDR & VAULT TOKEN)我把区别在哪里? - 变化
ansible.cfg
指向vault.py
这是位于我Ansible项目 -
的“插件”文件夹,测试基本的整合,我可以使用下面的剧本? https://pypi.python.org/pypi/ansible-modules-hashivault
- hosts: localhost -tasks: - hashivault_status: register: 'vault_status'
试过,但我得到:
An exception occurred during task execution. The full traceback is:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 119, in run
res = self._execute()
File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 431, in _execute
self._task.post_validate(templar=templar)
File "/usr/lib/python2.7/site-packages/ansible/playbook/task.py", line 248, in post_validate
super(Task, self).post_validate(templar)
File "/usr/lib/python2.7/site-packages/ansible/playbook/base.py", line 371, in post_validate
value = templar.template(getattr(self, name))
File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 359, in template
d[k] = self.template(variable[k], preserve_trailing_newlines=preserve_trailing_newlines, fail_on_undefined=fail_on_undefined, overrides=overrides)
File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 331, in template
result = self._do_template(variable, preserve_trailing_newlines=preserve_trailing_newlines, escape_backslashes=escape_backslashes, fail_on_undefined=fail_on_undefined, overrides=overrides)
File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 507, in _do_template
res = j2_concat(rf)
File "<template>", line 8, in root
File "/usr/lib/python2.7/site-packages/jinja2/runtime.py", line 193, in call
return __obj(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 420, in _lookup
instance = self._lookup_loader.get(name.lower(), loader=self._loader, templar=self)
File "/usr/lib/python2.7/site-packages/ansible/plugins/__init__.py", line 339, in get
self._module_cache[path] = self._load_module_source('.'.join([self.package, name]), path)
File "/usr/lib/python2.7/site-packages/ansible/plugins/__init__.py", line 324, in _load_module_source
module = imp.load_source(name, path, module_file)
File "/etc/ansible/ProjectA/lookup_plugins/vault.py", line 5
<!DOCTYPE html>
^
SyntaxError: invalid syntax
fatal: [win01]: FAILED! => {
"failed": true,
"msg": "Unexpected failure during module execution.",
"stdout": ""
既然你把这么多鸡蛋进入后,我不知道这个问题是关于什么的,这里的东西让你用本机查找插件和jhaals/ansible-vault
。
,你可以在当前目录下创建
lookup_plugins
并保存vault.py
内;VAULT_ADDR
和VAULT_TOKEN
环境变量如同您在脚本中看到的那样;
以下(它使用screen
和jq,你可能需要安装它们)运行库的开发模式下,bash脚本设置了秘密,并运行Ansible剧本与两个查找插件查询秘密:
#!/bin/bash
set -euo pipefail
export VAULT_ADDR=http://127.0.0.1:8200
if [[ ! $(pgrep -f "vault server -dev") ]]; then
echo \"vault server -dev\" not running, starting...
screen -S vault -d -m vault server -dev
printf "sleeping for 3 seconds\n"
sleep 3
else
echo \"vault server -dev\" already running, leaving as is...
fi
vault write secret/hello value=world excited=yes
export VAULT_TOKEN=$(vault token-create -format=json | jq -r .auth.client_token)
ansible-playbook playbook.yml --extra-vars="vault_token=${VAULT_TOKEN}"
和playbook.yml
:
---
- hosts: localhost
connection: local
tasks:
- name: Retrieve secret/hello using native hashi_vault plugin
debug: msg="{{ lookup('hashi_vault', 'secret=secret/hello token={{ vault_token }} url=http://127.0.0.1:8200') }}"
- name: Retrieve secret/hello using jhaals vault lookup
debug: msg="{{ lookup('vault', 'secret/hello') }}"
你到底应该得到:
TASK [Retrieve secret/hello using native hashi_vault plugin] *******************
ok: [localhost] => {
"msg": "world"
}
TASK [Retrieve secret/hello using jhaals vault lookup] *************************
ok: [localhost] => {
"msg": {
"excited": "yes",
"value": "world"
}
}
单词world
是从保险柜中提取的。
Thx techraf,我现在就得到了两个插件和运行! – RedAnsible
你介意先修复你的剧本的语法吗?缩进被打破,“任务”是一个关键,而不是另一个项目。 – techraf
Vault提供了一个简单的REST API - 您甚至可以使用[uri](https://docs.ansible.com/ansible/uri_module.html)模块。令人惊讶的是Ansible提供了许多查找插件,尽管它应该很简单,但找到一个适用于所有这些插件的工具却非常困难 - [您已经找到的那个插件](https://github.com/jhaals/ansible-vault)作品。 – techraf
我真的不明白你在这里问的问题。该插件的README非常清晰,并提供了很好的示例。你问什么[环境变量](https://en.wikipedia.org/wiki/Environment_variablehttps://en.wikipedia.org/wiki/Environment_variable)是什么? – techraf