2

I am trying (newbie) to setup a playbook, which will use lookup plugin to fetch secrets from vault (https://github.com/jhaals/ansible-vault), but it will fail on missing environment variables every time. Can anyone help? Thanks for the help.

PS: token is for a test purposes

There is condition in lookup module :

url = os.getenv('VAULT_ADDR')
        if not url:
            raise AnsibleError('VAULT_ADDR environment variable is missing')

Playbook:

---
- hosts: localhost
  vars:
    vault1_env:
      VAULT_ADDR: https://localhost:8200/
      VAULT_TOKEN: my-token-id
      VAULT_SKIP_VERIFY: True

  tasks:
     - shell: echo VAULT_ADDR is $VAULT_ADDR, VAULT_TOKEN is $VAULT_TOKEN, VAULT_SKIP_VERIFY is $VAULT_SKIP_VERIFY
       environment: "{{ vault1_env }}"
       register: shellout
     - debug: var=shellout
     - debug: msg="{{ lookup('vault', 'secret/hello', 'value') }}"

output:

PLAY ***************************************************************************

TASK [setup] *******************************************************************
ok: [localhost]

TASK [command] *****************************************************************
changed: [localhost]

TASK [debug] *******************************************************************
ok: [localhost] => {
    "shellout": {
        "changed": true, 
        "cmd": "echo VAULT_ADDR is $VAULT_ADDR, VAULT_TOKEN is $VAULT_TOKEN, VAULT_SKIP_VERIFY is $VAULT_SKIP_VERIFY", 
        "delta": "0:00:00.001268", 
        "end": "2016-05-17 15:46:34.144735", 
        "rc": 0, 
        "start": "2016-05-17 15:46:34.143467", 
        "stderr": "", 
        "stdout": "VAULT_ADDR is https://localhost:8200/, VAULT_TOKEN is ab9b16c6-52d9-2051-0802-6f047d929b63, VAULT_SKIP_VERIFY is True", 
        "stdout_lines": [
            "VAULT_ADDR is https://localhost:8200/, VAULT_TOKEN is ab9b16c6-52d9-2051-0802-6f047d929b63, VAULT_SKIP_VERIFY is True"
        ], 
        "warnings": []
    }
}

TASK [debug] *******************************************************************
fatal: [localhost]: FAILED! => {"failed": true, "msg": "ERROR! VAULT_ADDR environment variable is missing"}

PLAY RECAP *********************************************************************
localhost                  : ok=3    changed=1    unreachable=0    failed=1
Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
MUHAHA
  • 1,597
  • 2
  • 16
  • 25

2 Answers2

2

Here you are only setting environmental variables for the shell module, and not for the others. If you want to use variables across multiple modules, or for an entire a host, you should use the environment attribute on all of the modules, or on the host itself, something like this:

---
- hosts: localhost
  environment:
    VAULT_ADDR: https://localhost:8200/
    VAULT_TOKEN: my-token-id
    VAULT_SKIP_VERIFY: True
SztupY
  • 10,291
  • 8
  • 64
  • 87
  • This does not work either... `--- - hosts: localhost vars: vault1_env: VAULT_ADDR: https://localhost:8200/ VAULT_TOKEN: my-token-id VAULT_SKIP_VERIFY: True tasks: - shell: echo VAULT_ADDR is $VAULT_ADDR, VAULT_TOKEN is $VAULT_TOKEN, VAULT_SKIP_VERIFY is $VAULT_SKIP_VERIFY environment: "{{ vault1_env }}" register: shellout - debug: var=shellout - debug: msg="{{ lookup('vault', 'secret/hello', 'value') }}" environment: "{{ vault1_env }}"` – MUHAHA May 17 '16 at 14:33
  • @MUHAHA just seen that your plugin is a lookup module. Those modules run in a local context, and I'm not sure you can override that from ansible. One thing you might do is call ansible from within ansible and pre-set the environment variables. Or do what the module suggest, and just export the env variables outside of ansible. You might also want to raise a ticket with the developer – SztupY May 17 '16 at 14:54
  • or use https://github.com/TerryHowe/ansible-modules-hashivault where you can set the variables on the module (although it's not a lookup plugin) – SztupY May 17 '16 at 14:57
0

Why don't you make use of the vault feature to encrypt a variable file and then include this file in your playbook.

http://docs.ansible.com/ansible/playbooks_vault.html#running-a-playbook-with-vault

Carl Wainwright
  • 328
  • 5
  • 18