hashi_vault - lookup plugin should allow environment variables for Username / Password auth

[nwerker]

SUMMARY

Moved from following issue in previous repository: Original Issue

Other authentication method parameters like token for instance can be passed via certain environment variables. There should be specific environment variables to pass "username", "password" and "mount_point" parameters to allow for cleaner and more flexible calls when using the lookup plugin with instance or userpass authentication.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

hashi_vault

ADDITIONAL INFORMATION

This would allow for global initializing of the parameters and solve problems of reuising them on each usage of the lookup plugin.

This would be an example of the current state:

---
- hosts: webservers
  gather_facts: yes
  environment:
    VAULT_AUTH_METHOD: "ldap"
  vars:
      first_var: "{{lookup('hashi_vault', 'secret=kv/example/example:first_var mount_point=ldap username=user_xyz password=******************')}}"
      second_var: "{{lookup('hashi_vault', 'secret=kv/example/example:second_var mount_point=ldap username=user_xyz password=******************')}}"
      another_var: "{{lookup('hashi_vault', 'secret=kv/example/example:another_var mount_point=ldap username=user_xyz password=******************')}}"
      yet_another_var: "{{lookup('hashi_vault', 'secret=kv/example/example:yet_another_var mount_point=ldap username=user_xyz password=******************)}}"

This would be an example of how the usage after implementation:

---
- hosts: webservers
  gather_facts: yes
  environment:
    VAULT_USERNAME: "user_xyz"
    VAULT_PASSWORD: "*******************"
    VAULT_AUTH_METHOD: "ldap"
    VAULT_MOUNT_POINT: "ldap"
  vars:
      first_var: "{{lookup('hashi_vault', 'secret=kv/example/example:first_var ')}}"
      second_var: "{{lookup('hashi_vault', 'secret=kv/example/example:second_var')}}"
      another_var: "{{lookup('hashi_vault', 'secret=kv/example/example:another_var')}}"
      yet_another_var: "{{lookup('hashi_vault', 'secret=kv/example/example:yet_another_var)}}"

[briantist]

Hi @nwerker , env vars could certainly be added for this, with the caveat that they should follow the guidelines in #10 . Are you interested in putting in a PR for this?

[nwerker]

Hey @briantist I would be interested in putting in a PR for this! Is there any special contributing guide I should follow?

[briantist]

Unfortunately there's not a collection-specific guide to follow just yet. Luckily this change is exceptionally small, so the things you'd need to follow are:

• hashi_vault - environment variable guidelines #10 - around environment variable names (we'd likely be looking at ANSIBLE_HASHI_VAULT_USERNAME and ANSIBLE_HASHI_VAULT_PASSWORD for this)
• adding a changelog fragment (you can see some examples in this PR)

Take a look at how the existing env vars are defined up in the doc string for the plugin. Don't forget to add version_added: in the env: entries; next version will be 1.2.0 as defined in galaxy.yml.

---

One thing I want to point out however: your examples, using the environment: keyword will not work. Things that run on the controller, in the Ansible controller process, are not affected by the environment: keyword; they will only use the environment inherited when Ansible is first invoked.

[briantist]

@nwerker The changes referenced above have been released in v1.2.0.

[nwerker]

@briantist Thank you very much for the implementation! Sorry for not getting back to you sooner, I was a few months unavailable due to wrist surgery! We will profit a lot from this changes, thank you heaps!

[briantist]

@nwerker no worries, thank you for opening the issue, and I wish you a speedy recovery!