Closed 1ovsss closed 6 months ago
It would be nice if hashi_vault will auto renew token during ansible execution uses token with configured token_ttl and token_max_ttl.
lookup
let's say i have following vault configuration:
token_ttl = 900 #15m token_max_ttl = 10800 #3h
i get token like this:
% curl -X POST -H 'Content-Type: application/json' -d \ '{ "password": "'"$LDAP_PASS"'" }' $VAULT_ADDR/v1/auth/ldap/login/${LDAP_USER} --- { "request_id": "bxxx3-xxx-xxxx-xxxx-9xxxx4031", "lease_id": "", "renewable": false, "lease_duration": 0, "data": {}, "wrap_info": null, ], "auth": { "client_token": "hvs.token", "accessor": "RRRxxxxhfaj", "policies": [ "policies" ], "token_policies": [ "policies" ], "metadata": { "username": "myusername" }, "lease_duration": 900, "renewable": true, "entity_id": "5xxxb9-xxx-xxx-xxx-x593xxxd8e", "token_type": "service", "orphan": true, "mfa_requirement": null, "num_uses": 0 } }
This token has access to /sys/token/* so it can renew itself (i checked with curl) and from output above i assume "renewable": true also makes it possible.
/sys/token/*
"renewable": true
but tasks below:
tasks: - name: message block: - name: sec1 debug: msg: "{{ lookup('hashi_vault', 'secret=some/secret/path:sec1') }}" - name: sleep command: sleep 800 - name: sec2 debug: msg: "{{ lookup('hashi_vault', 'secret=some/secret/path:sec2') }}" - name: sleep command: sleep 200 - name: sec3 debug: msg: "{{ lookup('hashi_vault', 'secret=some/secret/path:sec3') }}" tags: [ sleep-vlt ]
where 800+200 > 900, gives me:
TASK [sec1] ******************************************************************** [WARNING]: Collection community.hashi_vault does not support Ansible version 2.12.10 ok: [test.com] => { "msg": "secret1" } TASK [sleep] ******************************************************************* changed: [test.com] TASK [sec2] ******************************************************************** [WARNING]: Collection community.hashi_vault does not support Ansible version 2.12.10 ok: [test.com] => { "msg": "secret2" } TASK [sleep] ******************************************************************* changed: [test.com] TASK [sec3] ******************************************************************** [WARNING]: Collection community.hashi_vault does not support Ansible version 2.12.10 fatal: [test.com]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'hashi_vault'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Forbidden: Permission Denied to secret 'some/secret/path'.. Forbidden: Permission Denied to secret 'some/secret/path'."} PLAY RECAP ********************************************************************* test.com : ok=11 changed=2 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
SUMMARY
It would be nice if hashi_vault will auto renew token during ansible execution uses token with configured token_ttl and token_max_ttl.
ISSUE TYPE
COMPONENT NAME
lookup
ADDITIONAL INFORMATION
let's say i have following vault configuration:
i get token like this:
This token has access to
/sys/token/*
so it can renew itself (i checked with curl) and from output above i assume"renewable": true
also makes it possible.but tasks below:
where 800+200 > 900, gives me: