Hey folks.
I am using the community.hashi_vault.hashi_vault
lookup plugin in attempts to get a secret from the HashiCorp vault.
I am issuing a login before all that, and i have a login token set via client_token: "{{ login_var.login.auth.client_token }}"
.
The lookup looks like the following:
- name: somename
debug:
msg: "Test secret: {{ lookup('community.hashi_vault.hashi_vault', 'path/to/secret:key', mount_point='secrets', token=client_token, url='some_url', validate_certs=false, return_format='values') }} "
When run, this throws the following:
fatal: [test]: FAILED! =>
msg: 'An unhandled exception occurred while running the lookup plugin ''community.hashi_vault.hashi_vault''. Error was a <class ''ansible.errors.AnsibleError''>, original message: Forbidden: Permission Denied to secret ''redacted/path/to/secret''.. Forbidden: Permission Denied to secret ''redacted/path/to/secret''.'
After lots of head banging, i just cant get it to work.
First, turns out, that you need to have the secrets
path always as first parameter.
Before that was returning []
empty responses.
Vault log shows the same permission denied error.
When testing with a custom written plugin, the same token works, so its not token or permission issues, but more like PATH.
The hashi_vault
plugin has the following as a comment in the examples, but not actual parameter explanation:
Blockquote
When using KV v2 the PATH should include “data” between the secret engine mount and path (e.g. “secret/data/:path”)
see: KV - Secrets Engines - HTTP API | Vault | HashiCorp Developer
When comparing the successful and failing requests, i can see that indeed the data/
is missing from the path.
But… after adding it manually, it simply does not get registered by the Hashicorp Vault.
It seems like it gets removed from the secret path.
Any ideas on how to do overcome this issue and get via the lookup plugin the secret value?