hashivault_consul_secret_engine_role – Hashicorp Vault database secret engine role

New in version 4.4.7.

Synopsis

  • Module to define a database role that vault can generate dynamic credentials for vault

Requirements

The below requirements are needed on the host that executes this module.

  • hvac>=0.10.1

  • ansible>=2.0.0

  • requests

Parameters

Parameter Choices/Defaults Comments
authtype
-
    Choices:
  • token
  • userpass
  • github
  • ldap
  • approle
Default:
"token or environment variable `VAULT_AUTHTYPE`"
authentication type
aws_header
-
Default:
"to environment variable `VAULT_AWS_HEADER`"
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
ca_cert
-
Default:
"to environment variable `VAULT_CACERT`"
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
ca_path
-
Default:
"to environment variable `VAULT_CAPATH`"
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
client_cert
-
Default:
"to environment variable `VAULT_CLIENT_CERT`"
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
client_key
-
Default:
"to environment variable `VAULT_CLIENT_KEY`"
Path to an unencrypted PEM-encoded private key matching the client certificate
local
-
Default:
"no"
Indicates that the token should not be replicated globally and instead be local to the current datacenter.
Only available in Consul 1.4 and greater.
login_mount_point
-
Default:
"value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
authentication mount point
max_ttl
-
Default:
""
Specifies the max TTL for this role.
This is provided as a string duration with a time suffix like "30s" or "1h" or as seconds.
If not provided, the default Vault Max TTL is used.
mount_point
-
Default:
"consul"
name of the secret engine mount name.
name
-
Specifies the name of an existing role against which to create this Consul credential
namespace
-
Default:
"to environment variable VAULT_NAMESPACE"
namespace for vault
password
-
Default:
"to environment variable `VAULT_PASSWORD`"
password to login to vault.
policies
-
Default:
[]
The list of policies to assign to the generated token. This is only available in Consul 1.4 and greater.
policy
-
Default:
""
Specifies the base64 encoded ACL policy. This is required unless the token_type is management
state
-
Default:
"present"
{'state of the object. choices': 'present, absent'}
token
-
Default:
"to environment variable `VAULT_TOKEN`"
token for vault
token_type
-
Default:
"client"
{'Specifies the type of token to create when using this role. choices': 'client, management'}
ttl
-
Default:
""
Specifies the TTL for this role.
This is provided as a string duration with a time suffix like "30s" or "1h" or as seconds.
If not provided, the default Vault TTL is used.
url
-
Default:
"to environment variable `VAULT_ADDR`"
url for vault
username
-
Default:
"to environment variable `VAULT_USER`"
username to login to vault.
verify
-
Default:
"to environment variable `VAULT_SKIP_VERIFY`"
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing

Examples

---
- hosts: localhost
  tasks:
      hashivault_consul_secret_engine_role:
        name: tester
        policy: pocketknife
        state: present

Status

Authors

  • UNKNOWN

Hint

If you notice any issues in this documentation, you can edit this document to improve it.