hashivault-vars

Release 0.1.20

Ansible Vars Plugin for Hashicorp Vault

Homepage PyPI Python

License
MIT
Install
pip install hashivault-vars==0.1.20

Documentation

Ansible Vars Plugin for Hashicorp Vault

An Ansible Vars Plugin for Hashicorp Vault to lookup credentials/secrets, injecting these into the playbook run (e.g. ansible_user, ansible_password, etc).

Use Hashicorp Vault like you would ansible-vault'ed group_vars, domain_vars [a new concept in this module!] and host_vars.

This module was originaly developed for the gostint project.

Prereqs

  • Ansible
  • You may need pip install urllib3
  • pip install hvac

Installation

sudo pip install hashivault-vars

Enable in Ansible

In ansible.cfg:

vars_plugins = /usr/local/lib/python2.7/dist-packages/hashivault_vars

Or, symlink from ansible's vars plugins folder to hashivault_vars.py, e.g.:

$ cd /usr/local/lib/python2.7/dist-packages/ansible/plugins/vars
$ sudo ln -s /usr/local/lib/python2.7/dist-packages/hashivault_vars/hashivault_vars.py .

On Alpine Linux:

pip install hvac hashivault-vars && \
ln -s /usr/lib/python2.7/site-packages/hashivault_vars/hashivault_vars.py \
  /usr/lib/python2.7/site-packages/ansible/plugins/vars

Vault Secret Paths

Root path in vault:

  • /secret/ansible/

Precendence (applied top to bottom, so last takes precendence):

  • Groups:

    • /secret/ansible/groups/all
    • /secret/ansible/groups/ungrouped
    • /secret/ansible/groups/your_inv_item_group
    • ...

  • Hosts/Domains:

    • /secret/ansible/domains/com
    • /secret/ansible/{connection}/domains/com
    • /secret/ansible/domains/example.com
    • /secret/ansible/{connection}/domains/example.com
    • /secret/ansible/hosts/hosta.example.com
    • /secret/ansible/{connection}/hosts/hosta.example.com

where {connection} is ansible_connection, e.g.: "ssh", "winrm", ... (this plugin attempts to make assumptions where ansible_connection is not set, but does not assume to inject this into vars in the playbook. Best practice therefore would be to set ansible_connection in your ansible inventory).

All values retrieved from these paths are mapped as ansible variables, e.g. ansible_user, ansible_password, etc.

The layered lookups are merged, with the last taking precedence over earlier lookups.

Lookups to the vault are cached for the run.

Developer Notes

Travis CI

Pull requests and merges to master trigger pylint and BATS tests.

Running BATS tests

in vagrant:

$ tests/test.sh

Enable Debugging

(danger, will reveal retrieved vault secrets in the ansible log)

Set environment variable HASHIVAULT_VARS_DEBUG=1.

Release to PyPi

From vagrant (pip prereqs are required), e.g.:

$ ./setup.py sdist bdist_wheel

Release from host:

$ twine upload dist/hashivault_vars-0.1.17*

Stats

Dependencies
2
Dependent packages
0
Dependent repositories
0
Total releases
24
Latest release
First release
Stars
0
Forks
2
Watchers
1
Contributors
2
Repository size
37.1 KB
SourceRank
7

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.2.0
0.1.22
0.1.21
0.1.20
0.1.19
0.1.18
0.1.17
0.1.16
0.1.15
0.1.14
See all 24 releases

Contributors

Graham Lee Bevan Ezra Buehler


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-02-16 06:34:07 UTC

Login to resync this project