community.hashi_vault.hashi_vault lookup plugin getting permission denied constantly

Hey folks.

I am using the community.hashi_vault.hashi_vault lookup plugin in attempts to get a secret from the HashiCorp vault.

I am issuing a login before all that, and i have a login token set via client_token: "{{ login_var.login.auth.client_token }}".

The lookup looks like the following:

- name: somename
  debug:
    msg: "Test secret: {{ lookup('community.hashi_vault.hashi_vault', 'path/to/secret:key', mount_point='secrets', token=client_token, url='some_url', validate_certs=false, return_format='values') }} "

When run, this throws the following:

fatal: [test]: FAILED! =>
   msg: 'An unhandled exception occurred while running the lookup plugin ''community.hashi_vault.hashi_vault''. Error was a <class ''ansible.errors.AnsibleError''>, original message: Forbidden: Permission Denied to secret ''redacted/path/to/secret''.. Forbidden: Permission Denied to secret ''redacted/path/to/secret''.'

After lots of head banging, i just cant get it to work.

First, turns out, that you need to have the secrets path always as first parameter.
Before that was returning [] empty responses.

Vault log shows the same permission denied error.

When testing with a custom written plugin, the same token works, so its not token or permission issues, but more like PATH.

The hashi_vault plugin has the following as a comment in the examples, but not actual parameter explanation:

Blockquote
When using KV v2 the PATH should include “data” between the secret engine mount and path (e.g. “secret/data/:path”)
see: KV - Secrets Engines - HTTP API | Vault | HashiCorp Developer

When comparing the successful and failing requests, i can see that indeed the data/ is missing from the path.
But… after adding it manually, it simply does not get registered by the Hashicorp Vault.
It seems like it gets removed from the secret path.

Any ideas on how to do overcome this issue and get via the lookup plugin the secret value?

If you’re using kv2, you would be much better served with the community.hashi_vault.vault_kv2_get content (lookup or module).

Here are some docs:


As for your question though, most of the examples for the hashi_vault lookup do indeed show putting /data/ in the path.

If you use vault_kv2_get you will not need to insert /data/ between the secret engine and the secret path.

But… after adding it manually, it simply does not get registered by the Hashicorp Vault.
It seems like it gets removed from the secret path.

Could you expand on what this means?

Could you expand on what this means?

As in, on the Vault logs, where the request is seen to fail, the given path is missing data/ in it, only path/to/secret. And i do not see a mount_point mentioned as well…

I was hoping to manage to get the hashi_vault lookup to work, since the currently implemented custom plugin is very close to it to functionality. And the total amount of playbooks that will need rework is big. Unfortunately, does not seem like “the easy way” will work.

hard to comment on this without knowing what it does

The vault_kv2_get plugins were written specifically for it, as mentioned in the guides it’s much more straightforward to use. However the hashi_vault lookup still works and does auth very similarly. I suspect you have the path wrong.

Is this referring to the vault logs or something else?

The mount_point option in the collection’s plugins is the mount point for the auth method, which doesn’t apply to token auth. I see in your example you’re trying to set it to the secret engine mount point. That won’t work because the hashi_vault lookup is not secret engine aware except implicitly (this is one of the things that make it less than ideal).

If you use vault_kv2_get you can set engine_mount_point (if needed).

In hashi_vault you need to include the engine mount point as part of the path.

You example should probably be:

- name: somename
  debug:
    msg: "Test secret: {{ lookup('community.hashi_vault.hashi_vault', 'secrets/data/path/to/secret:key', token=client_token, url='some_url', validate_certs=false, return_format='values') }} "