Hi,
I am using Ansible along with HashiCorp's Vault to store sensible data.
I will be weekly sending a Secret_ID to each server, in order for them to
get a token. With this token, they can access the contents of the Vault.
The problem is that we must send a secret ID per host, and they can only be
generated in the server where Ansible is installed.
So here is my current Ansible Playbook file:
---
- hosts: localhost
gather_facts: no
tasks:
- name: Generate secret_id
shell: vault write -f auth/approle/role/my_role/secret-id -format=json
| jq '.data.secret_id'
register: secret_id
- set_fact:
secret_id_clean: "{{ secret_id.stdout | replace('\"', '') |
replace('\','') }}"
- hosts: MyServers
gather_facts: no
tasks:
- name: Get Approle Token
shell: source /etc/profile && vault write auth/approle/login
role_id=$VAULT_ROLE_ID secret_id="{{
hostvars['localhost']['secret_id_clean'] }}" -format=json | jq
'.auth.client_token'
args:
executable: /bin/bash
register: token
- set_fact:
token_clean: "{{ token.stdout | replace('\"', '') | replace('\','')
}}"
in hosts file:
[MyServers]
1.1.1.1
2.2.2.2
3.3.3.3
But currently only 1 Secret_ID is generated and sent to the servers, so
only the fastest one gets the token, the rest not, and that's a problem
I am thinking about doing this inside another programming language, but I
prefer just to do it inside the playbook, it must be a way of doing it.
There are some posts:
https://stackoverflow.com/questions/43140086/loop-through-hosts-with-ansible
https://devops.stackexchange.com/questions/2978/execute-multiple-ansible-tasks-with-the-same-list-of-items
But they don't explain how could I get to create 5 Secret_IDs and saving
them to a different register/fact
Thank you very much
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/4f4002c2-d2bc-4581-99c5-060810bea1e4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
