hashivault_token_create – Hashicorp Vault token create module

New in version 3.3.0.

Synopsis

  • Module to create tokens in Hashicorp Vault.

Requirements

The below requirements are needed on the host that executes this module.

  • hvac>=0.10.1

  • ansible>=2.0.0

  • requests

Parameters

Parameter Choices/Defaults Comments
authtype
-
    Choices:
  • token
  • userpass
  • github
  • ldap
  • approle
Default:
"token or environment variable `VAULT_AUTHTYPE`"
authentication type
aws_header
-
Default:
"to environment variable `VAULT_AWS_HEADER`"
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
ca_cert
-
Default:
"to environment variable `VAULT_CACERT`"
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
ca_path
-
Default:
"to environment variable `VAULT_CAPATH`"
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
client_cert
-
Default:
"to environment variable `VAULT_CLIENT_CERT`"
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
client_key
-
Default:
"to environment variable `VAULT_CLIENT_KEY`"
Path to an unencrypted PEM-encoded private key matching the client certificate
display_name
-
A display name to associate with this token
explicit_max_ttl
-
An explicit maximum lifetime for the token
id
-
The token value that clients will use to authenticate with vault
lease
-
If specified, the lease time will be this value. (e.g. 1h)
login_mount_point
-
Default:
"value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
authentication mount point
metadata
-
Metadata to associate with the token
namespace
-
Default:
"to environment variable VAULT_NAMESPACE"
namespace for vault
no_default_policy
-
Default:
"no"
If specified, the token will not have the "default" policy included in its policy set
no_parent
-
If specified, the token will have no parent
num_uses
-
The number of times this token can be used until it is automatically revoked
orphan
-
If specified, the token will have no parent. Only This prevents the new token from being revoked with your token.
password
-
Default:
"to environment variable `VAULT_PASSWORD`"
password to login to vault.
period
-
If specified, every renewal will use the given period. Periodic tokens do not expire (unless explicit_max_ttl is also provided).
policies
-
List of Policy to associate with this token.
renewable
-
Whether or not the token is renewable to extend its TTL up to Vault's configured maximum TTL for tokens
role
-
If set, the token will be created against the named role
token
-
Default:
"to environment variable `VAULT_TOKEN`"
token for vault
ttl
-
Initial TTL to associate with the token; renewals can extend this value.
url
-
Default:
"to environment variable `VAULT_ADDR`"
url for vault
username
-
Default:
"to environment variable `VAULT_USER`"
username to login to vault.
verify
-
Default:
"to environment variable `VAULT_SKIP_VERIFY`"
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing
wrap_ttl
-
Indicates that the response should be wrapped in a cubbyhole token with the requested TTL.

Examples

---
- hosts: localhost
  tasks:
    - name: "Create a {{admin_name}} token, and stop using root token"
      hashivault_token_create:
        display_name: "{{admin_name}}"
        policies: ["{{admin_name}}"]
        renewable: True
        token: "{{vault_root_token}}"
      register: "vault_token_admin"

Status

Authors

  • UNKNOWN

Hint

If you notice any issues in this documentation, you can edit this document to improve it.