Ansible Vars Plugin for Hashicorp Vault
Project description
# Ansible Vars Plugin for Hashicorp Vault
An Ansible Vars Plugin for Hashicorp Vault to lookup credentials/secrets,
injecting these into the playbook run (e.g. `ansible_user`, `ansible_password`,
etc).
Use Hashicorp Vault like you would ansible-vault'ed group_vars,
domain_vars [a new concept in this module!] and host_vars.
This module was developed for the [gostint](https://goethite.github.io/gostint/)
project.
## Installation
```bash
sudo pip install hashivault-vars
```
## Enable in Ansible
Symlink from ansible's vars plugins folder to `hashivault_vars.py`, e.g.:
```bash
$ cd /usr/local/lib/python2.7/dist-packages/ansible/plugins/vars
$ sudo ln -s /usr/local/lib/python2.7/dist-packages/hashivault_vars/hashivault_vars.py .
```
On Alpine Linux:
```bash
pip install hvac hashivault-vars && \
ln -s /usr/lib/python2.7/site-packages/hashivault_vars/hashivault_vars.py \
/usr/lib/python2.7/site-packages/ansible/plugins/vars
```
## Vault Secret Paths
Root path in vault:
* `/secret/ansible/`
Precendence (applied top to bottom, so last takes precendence):
* Groups:
* `/secret/ansible/groups/all`
* `/secret/ansible/groups/ungrouped`
* `/secret/ansible/groups/your_inv_item_group`
* ...
* Hosts/Domains:
* `/secret/ansible/{connection}/domains/com`
* `/secret/ansible/{connection}/domains/example.com`
* `/secret/ansible/{connection}/hosts/hosta.example.com`
where `{connection}` is `ansible_connection`, e.g.: "ssh", "winrm", ...
(this plugin attempts to make assumptions where `ansible_connection` is not
set)
All values retrieved from these paths are mapped as ansible variables,
e.g. `ansible_user`, `ansible_password`, etc.
The layered lookups are merged, with the last taking precendence over
earlier lookups.
Lookups to the vault are cached for the run.
## Developer Notes
### Enable Debugging
(danger, will reveal retrieved vault secrets in the ansible log)
Set environment variable `HASHIVAULT_VARS_DEBUG=1`.
### Release to PyPi
From vagrant
```bash
$ ./setup.py sdist bdist_wheel
$ twine upload dist/*
```
An Ansible Vars Plugin for Hashicorp Vault to lookup credentials/secrets,
injecting these into the playbook run (e.g. `ansible_user`, `ansible_password`,
etc).
Use Hashicorp Vault like you would ansible-vault'ed group_vars,
domain_vars [a new concept in this module!] and host_vars.
This module was developed for the [gostint](https://goethite.github.io/gostint/)
project.
## Installation
```bash
sudo pip install hashivault-vars
```
## Enable in Ansible
Symlink from ansible's vars plugins folder to `hashivault_vars.py`, e.g.:
```bash
$ cd /usr/local/lib/python2.7/dist-packages/ansible/plugins/vars
$ sudo ln -s /usr/local/lib/python2.7/dist-packages/hashivault_vars/hashivault_vars.py .
```
On Alpine Linux:
```bash
pip install hvac hashivault-vars && \
ln -s /usr/lib/python2.7/site-packages/hashivault_vars/hashivault_vars.py \
/usr/lib/python2.7/site-packages/ansible/plugins/vars
```
## Vault Secret Paths
Root path in vault:
* `/secret/ansible/`
Precendence (applied top to bottom, so last takes precendence):
* Groups:
* `/secret/ansible/groups/all`
* `/secret/ansible/groups/ungrouped`
* `/secret/ansible/groups/your_inv_item_group`
* ...
* Hosts/Domains:
* `/secret/ansible/{connection}/domains/com`
* `/secret/ansible/{connection}/domains/example.com`
* `/secret/ansible/{connection}/hosts/hosta.example.com`
where `{connection}` is `ansible_connection`, e.g.: "ssh", "winrm", ...
(this plugin attempts to make assumptions where `ansible_connection` is not
set)
All values retrieved from these paths are mapped as ansible variables,
e.g. `ansible_user`, `ansible_password`, etc.
The layered lookups are merged, with the last taking precendence over
earlier lookups.
Lookups to the vault are cached for the run.
## Developer Notes
### Enable Debugging
(danger, will reveal retrieved vault secrets in the ansible log)
Set environment variable `HASHIVAULT_VARS_DEBUG=1`.
### Release to PyPi
From vagrant
```bash
$ ./setup.py sdist bdist_wheel
$ twine upload dist/*
```
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file hashivault_vars-0.1.16.tar.gz.
File metadata
- Download URL: hashivault_vars-0.1.16.tar.gz
- Upload date:
- Size: 4.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/39.0.1 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/2.7.15rc1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6f7d113af575611a4deda0b9a19cc25e3c28e05fd9d99c641312e602b39761db |
|
| MD5 | 6c859361c7fcb6d24f4829ae60d38ef7 |
|
| BLAKE2b-256 | 816b4ea096d661450154fadda263bce4d39ac612e3587bccb93be44c89e75e33 |
File details
Details for the file hashivault_vars-0.1.16-py2-none-any.whl.
File metadata
- Download URL: hashivault_vars-0.1.16-py2-none-any.whl
- Upload date:
- Size: 6.8 kB
- Tags: Python 2
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/39.0.1 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/2.7.15rc1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | fbbf18fe31b00b49978d94b76f477c1c9a5523bf2e63b2b59e1458c3ae4ea5c2 |
|
| MD5 | 9b969cdaa90f09473d3c9e8b2aba1e49 |
|
| BLAKE2b-256 | 6d0d027fb7c6cded4db166fc52edf221cf2137ec7f7c291cb2b876357f483f81 |
