hashivault_approle_role – Hashicorp Vault approle management role module

New in version 4.0.0.

Synopsis

  • Module to manage an approle role from Hashicorp Vault.

Requirements

The below requirements are needed on the host that executes this module.

  • hvac>=0.10.1

  • ansible>=2.0.0

  • requests

Parameters

Parameter Choices/Defaults Comments
authtype
-
    Choices:
  • token
  • userpass
  • github
  • ldap
  • approle
Default:
"token or environment variable `VAULT_AUTHTYPE`"
authentication type
aws_header
-
Default:
"to environment variable `VAULT_AWS_HEADER`"
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
bind_secret_id
-
Require secret_id to be presented when logging in using this AppRole.
bound_cidr_list
-
Deprecated. Use token_bound_cidrs instead. Comma-separated string or list of CIDR blocks.
ca_cert
-
Default:
"to environment variable `VAULT_CACERT`"
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
ca_path
-
Default:
"to environment variable `VAULT_CAPATH`"
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
client_cert
-
Default:
"to environment variable `VAULT_CLIENT_CERT`"
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
client_key
-
Default:
"to environment variable `VAULT_CLIENT_KEY`"
Path to an unencrypted PEM-encoded private key matching the client certificate
enable_local_secret_ids
-
If set, the secret IDs generated using this role will be cluster local.
login_mount_point
-
Default:
"value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
authentication mount point
mount_point
-
Default:
"approle"
mount point for role
name
-
role name.
namespace
-
Default:
"to environment variable VAULT_NAMESPACE"
namespace for vault
password
-
Default:
"to environment variable `VAULT_PASSWORD`"
password to login to vault.
period
-
Duration of the token generated.
policies
-
Policies for the role.
secret_id_bound_cidrs
-
Comma-separated string or list of CIDR blocks.
secret_id_num_uses
-
Number of times any particular SecretID can be used.
secret_id_ttl
-
Duration after which any SecretID expires.
state
-
Default:
"present"
present or absent
token
-
Default:
"to environment variable `VAULT_TOKEN`"
token for vault
token_bound_cidrs
-
Comma-separated string or list of CIDR blocks.
token_explicit_max_ttl
-
Encode this value onto the token.
token_max_ttl
-
Duration after which the issued token can no longer be renewed.
token_no_default_policy
-
Default policy will not be set on generated tokens.
token_num_uses
-
Number of times issued tokens can be used. A value of 0 means unlimited uses.
token_period
-
Duration of the token generated.
token_policies
-
Policies for the role.
token_ttl
-
Duration to set as the TTL for issued tokens and at renewal time.
token_type
-
Type of token that should be generated, normally `service`, `batch` or `default`.
url
-
Default:
"to environment variable `VAULT_ADDR`"
url for vault
username
-
Default:
"to environment variable `VAULT_USER`"
username to login to vault.
verify
-
Default:
"to environment variable `VAULT_SKIP_VERIFY`"
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing

Examples

---
- hosts: localhost
  tasks:
    - hashivault_approle_role:
        name: ashley
    - hashivault_approle_role:
        name: ashley
        state: absent
    - hashivault_approle_role:
        name: terry
        role_file: path/to/file.json

Status

Authors

  • UNKNOWN

Hint

If you notice any issues in this documentation, you can edit this document to improve it.