Ansible Vars Plugin for Hashicorp Vault
Project description
# Ansible Vars Plugin for Hashicorp Vault
An Ansible Vars Plugin for Hashicorp Vault to lookup credentials/secrets,
injecting these into the playbook run (e.g. `ansible_user`, `ansible_password`,
etc).
Use Hashicorp Vault like you would ansible-vault'ed group_vars,
domain_vars [a new concept in this module!] and host_vars.
This module was developed for the [gostint](https://goethite.github.io/gostint/)
project.
## Installation
```bash
sudo pip install hashivault-vars
```
## Enable in Ansible
Symlink from ansible's vars plugins folder to `hashivault_vars.py`, e.g.:
```bash
$ cd /usr/local/lib/python2.7/dist-packages/ansible/plugins/vars
$ sudo ln -s /usr/local/lib/python2.7/dist-packages/hashivault_vars/hashivault_vars.py .
```
On Alpine Linux:
```bash
pip install hvac hashivault-vars && \
ln -s /usr/lib/python2.7/site-packages/hashivault_vars/hashivault_vars.py \
/usr/lib/python2.7/site-packages/ansible/plugins/vars
```
## Vault Secret Paths
Root path in vault:
* `/secret/ansible/`
Precendence (applied top to bottom, so last takes precendence):
* Groups:
* `/secret/ansible/groups/all`
* `/secret/ansible/groups/ungrouped`
* `/secret/ansible/groups/your_inv_item_group`
* ...
* Hosts/Domains:
* `/secret/ansible/{connection}/domains/com`
* `/secret/ansible/{connection}/domains/example.com`
* `/secret/ansible/{connection}/hosts/hosta.example.com`
where `{connection}` is `ansible_connection`, e.g.: "ssh", "winrm", ...
(this plugin attempts to make assumptions where `ansible_connection` is not
set)
All values retrieved from these paths are mapped as ansible variables,
e.g. `ansible_user`, `ansible_password`, etc.
The layered lookups are merged, with the last taking precendence over
earlier lookups.
Lookups to the vault are cached for the run.
## Developer Notes
### Enable Debugging
(danger, will reveal retrieved vault secrets in the ansible log)
Set environment variable `HASHIVAULT_VARS_DEBUG=1`.
### Release to PyPi
From vagrant
```bash
$ ./setup.py sdist bdist_wheel
$ twine upload dist/*
```
An Ansible Vars Plugin for Hashicorp Vault to lookup credentials/secrets,
injecting these into the playbook run (e.g. `ansible_user`, `ansible_password`,
etc).
Use Hashicorp Vault like you would ansible-vault'ed group_vars,
domain_vars [a new concept in this module!] and host_vars.
This module was developed for the [gostint](https://goethite.github.io/gostint/)
project.
## Installation
```bash
sudo pip install hashivault-vars
```
## Enable in Ansible
Symlink from ansible's vars plugins folder to `hashivault_vars.py`, e.g.:
```bash
$ cd /usr/local/lib/python2.7/dist-packages/ansible/plugins/vars
$ sudo ln -s /usr/local/lib/python2.7/dist-packages/hashivault_vars/hashivault_vars.py .
```
On Alpine Linux:
```bash
pip install hvac hashivault-vars && \
ln -s /usr/lib/python2.7/site-packages/hashivault_vars/hashivault_vars.py \
/usr/lib/python2.7/site-packages/ansible/plugins/vars
```
## Vault Secret Paths
Root path in vault:
* `/secret/ansible/`
Precendence (applied top to bottom, so last takes precendence):
* Groups:
* `/secret/ansible/groups/all`
* `/secret/ansible/groups/ungrouped`
* `/secret/ansible/groups/your_inv_item_group`
* ...
* Hosts/Domains:
* `/secret/ansible/{connection}/domains/com`
* `/secret/ansible/{connection}/domains/example.com`
* `/secret/ansible/{connection}/hosts/hosta.example.com`
where `{connection}` is `ansible_connection`, e.g.: "ssh", "winrm", ...
(this plugin attempts to make assumptions where `ansible_connection` is not
set)
All values retrieved from these paths are mapped as ansible variables,
e.g. `ansible_user`, `ansible_password`, etc.
The layered lookups are merged, with the last taking precendence over
earlier lookups.
Lookups to the vault are cached for the run.
## Developer Notes
### Enable Debugging
(danger, will reveal retrieved vault secrets in the ansible log)
Set environment variable `HASHIVAULT_VARS_DEBUG=1`.
### Release to PyPi
From vagrant
```bash
$ ./setup.py sdist bdist_wheel
$ twine upload dist/*
```
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
hashivault_vars-0.1.16.tar.gz
(4.9 kB
view hashes)
Built Distribution
Close
Hashes for hashivault_vars-0.1.16-py2-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | fbbf18fe31b00b49978d94b76f477c1c9a5523bf2e63b2b59e1458c3ae4ea5c2 |
|
| MD5 | 9b969cdaa90f09473d3c9e8b2aba1e49 |
|
| BLAKE2b-256 | 6d0d027fb7c6cded4db166fc52edf221cf2137ec7f7c291cb2b876357f483f81 |
