Documentation about auth_method 'none' hashi_vault

[Fabiokleis]

SUMMARY

- name: authenticate with vault agent
  ansible.builtin.debug:
    msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/hello:value', auth_method='none', url='http://127.0.0.1:8100') }}"

I'm trying to understand how this works, I'm using vault agent to authenticate but I didn't understand how the hashi_vault retrives the token. In my agent configuration I save the token in a file in /tmp and after reading roleid and consuming secretid the ansible playbook works as espected.

I'm studying about the authentication methods, and I think would be nice if exist a way to pass the path of the token file generated by vault agent.

ISSUE TYPE

• Documentation Report

[briantist]

Hi @Fabiokleis ! The none auth method is useful when you want to Vault agent as the HTTP host, using it as an API proxy, in combination with auto-auth.

In your above example, it should work as long as your agent is listening on http://127.0.0.1:8100.

In that mode of operation, nothing running in Ansible needs to retrieve the token at all, because the request will go to the agent with no authentication, and the agent will proxy the request to its upstream Vault server with the token injected,

I recommend using the agent in this way, with the none authentication type, unless you cannot run agent as a proxy for some reason.

---

The other method you describe, where you want to directly use the token in Ansible, by reading it from the agent's token sink, is also possible, but not with the none auth method. In that case, use the token auth method. You would also probably point directly at the Vault server in this use case, not at the agent; if the agent is listening for HTTP requests, use the none method above.

You could look up the value yourself. You can use the ansible.builtin.file lookup plugin to read from a file on the controller, or the ansible.builtin.slurp module to read from a file on a remote target or on the controller. Although it's a bit of a weird use for it, I might even even consider using the ansible.builtin.password lookup if the agent is on the controller.

But the token auth method already supports reading the token from a file, by setting token_path and token_file

An example using the token method might be like this:

- name: authenticate with vault agent
  vars:
    ansible_hashi_vault_url: https://vault
    ansible_hashi_vault_auth_method: token
    ansible_hashi_vault_token_path: /tmp
    ansible_hashi_vault_token_file: token_file_name
  ansible.builtin.debug:
    msg: "{{ lookup('community.hashi_vault.vault_kv1_get', 'secret/hello').secret.value }}"

Note that I'm using vault_kv1_get here instead of the hashi_vault lookup, because the example path you gave looks like a KV1 path and I don't recommend using the hashi_vault lookup anymore (we have more specific plugins). This isn't related to your question, and both auth methods can still work with the hashi_vault lookup, but have a look at this page:

• https://docs.ansible.com/ansible/latest/collections/community/hashi_vault/docsite/migration_hashi_vault_lookup.html

I also used a lookup because your original example did, but we have modules now too, and there are some good reasons to use modules instead of lookups, there's more information on that here:

• https://docs.ansible.com/ansible/latest/collections/community/hashi_vault/docsite/lookup_guide.html