hashivault_aws_auth_role – Hashicorp Vault aws auth create role module

New in version 4.4.8.

Synopsis

  • Module to create an aws auth role

Requirements

The below requirements are needed on the host that executes this module.

  • hvac>=0.10.1

  • ansible>=2.0.0

  • requests

Parameters

Parameter Choices/Defaults Comments
allow_instance_migration
-
If set to true, allows migration of the underlying instance where the client resides.
auth_type
-
auth type permitted for this role. Valid choices are ec2 and iam
authtype
-
    Choices:
  • token
  • userpass
  • github
  • ldap
  • approle
Default:
"token or environment variable `VAULT_AUTHTYPE`"
authentication type
aws_header
-
Default:
"to environment variable `VAULT_AWS_HEADER`"
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
bound_account_id
-
Defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID
bound_ami_id
-
Defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified
bound_ec2_instance_id
-
-EC2 instance id
bound_iam_instance_profile_arn
-
Defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile
bound_iam_principal_arn
-
IAM principal arn
bound_iam_role_arn
-
Defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN
bound_region
-
The bound region for the role
bound_subnet_id
-
Defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID
bound_vpc_id
-
Defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value
ca_cert
-
Default:
"to environment variable `VAULT_CACERT`"
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
ca_path
-
Default:
"to environment variable `VAULT_CAPATH`"
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
client_cert
-
Default:
"to environment variable `VAULT_CLIENT_CERT`"
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
client_key
-
Default:
"to environment variable `VAULT_CLIENT_KEY`"
Path to an unencrypted PEM-encoded private key matching the client certificate
disallow_reauthentication
-
If set to true, only allows a single token to be granted per instance ID.
inferred_entity_type
-
Instructs Vault to turn on inferencing. The only valid value is ec2_instance
login_mount_point
-
Default:
"value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
authentication mount point
max_ttl
-
The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds
mount_point
-
location where this auth_method will be mounted. also known as "path"
name
-
role name.
namespace
-
Default:
"to environment variable VAULT_NAMESPACE"
namespace for vault
password
-
Default:
"to environment variable `VAULT_PASSWORD`"
password to login to vault.
period
-
The period
policies
-
policies for the role.
resolve_aws_unique_ids
-
If set to true, the bound_iam_principal_arn is resolved to an AWS Unique ID for the bound principal ARN.
role_tag
-
Role tag
token
-
Default:
"to environment variable `VAULT_TOKEN`"
token for vault
ttl
-
The TTL period of tokens issued using this role, provided as a number of seconds.
url
-
Default:
"to environment variable `VAULT_ADDR`"
url for vault
username
-
Default:
"to environment variable `VAULT_USER`"
username to login to vault.
verify
-
Default:
"to environment variable `VAULT_SKIP_VERIFY`"
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing

Examples

---
- hosts: localhost
  tasks:
    - hashivault_aws_auth_role:
        name: myrole
        auth_type: iam
        inferred_entity_type: ec2_instance
        inferred_aws_region: eu-west-1
        bound_iam_role_arn: arn:aws:iam::12345678:root/ec2-role

Status

Authors

  • UNKNOWN

Hint

If you notice any issues in this documentation, you can edit this document to improve it.