approle auth not working with vault_kv2_get lookup

[carlos-lehmann]

Hey there,

Hope you're well! I'm seeking help with the lookup plugin vault_kv2_get

When I use the vault cli, with the approle to access a vault secret, everything works fine:

$ VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="408b1d9d-5b67-458a-8bc2-REDACTED" secret_id="4901a2fc-ced3-5cda-eb8d-REDACTED")
$ vault kv get -namespace=my_vault_namespace -field=my_field -mount=kv "my/kv-path/secret"
-----BEGIN RSA PRIVATE KEY-----

using community.hashi_vault.vault_kv2_get with ansible however fails:

- hosts: localhost
  gather_facts: no
  vars:
    ssh_dev: "{{ lookup('community.hashi_vault.vault_kv2_get', 'my/kv-path/secret', engine_mount_point='kv', url='https://REDACTED:443', namespace='my_vault_namespace', auth_method='approle', role_id='408b1d9d-5b67-458a-8bc2-REDACTED', secret_id='4901a2fc-ced3-5cda-eb8d-REDACTED')['secret']['my_field'] }}" 
    
  - name: Print ssh_dev
    ansible.builtin.debug:
      var: ssh_dev

output:

TASK [Print ssh_dev] ****************************************************************************************************************************************************************************************************************************
task path: //path/to/mytask.yml:49
Loading collection community.hashi_vault from /Users/carlos/.ansible/collections/ansible_collections/community/hashi_vault
[WARNING]: Collection community.hashi_vault does not support Ansible version 2.11.4
fatal: [localhost]: FAILED! => {
    "msg": "An unhandled exception occurred while templating '{{ lookup('community.hashi_vault.vault_kv2_get', 'my/kv-path/secret', engine_mount_point='kv', url='https://REDACTED:443', namespace='my_vault_namespace', auth_method='approle', role_id='408b1d9d-5b67-458a-8bc2-REDACTED', secret_id='4901a2fc-ced3-5cda-eb8d-REDACTED' )['secret']['my-field'] }}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.vault_kv2_get'. Error was a <class 'hvac.exceptions.Forbidden'>, original message: permission denied, on post https://REDACTED:443/v1/auth/approle/login"
}

using the generated vault token $VAULT_TOKEN from vault cli (see above) instead of the approle works:

- hosts: localhost
  gather_facts: no
  vars:
    ssh_dev: "{{ lookup('community.hashi_vault.vault_kv2_get', 'my/kv-path/secret', engine_mount_point='kv', url='https://REDACTED:443', namespace='my_vault_namespace', token='hvs.CAESIIlgbqZ_eHD1SV5kE6EhutQ_TSBqpkwDtssxlz0EeuYmGiUKHGh2cyREDACTED' )['secret']['my_field'] }}" 

output:

TASK [Print ssh_dev] ****************************************************************************************************************************************************************************************************************************
task path: /path/to/mytask.yml:49
Loading collection community.hashi_vault from /Users/REDACTED/.ansible/collections/ansible_collections/community/hashi_vault
[WARNING]: Collection community.hashi_vault does not support Ansible version 2.11.4
ok: [localhost] => {
    "ssh_dev": "-----BEGIN RSA PRIVATE KEY-----

gpt is telling me that the plugin does authentication for me, I couldn't find the code snippet so any help appreciated if I have missed something obvious.

Cheers,
Carlos

[ji-podhead]

i dont get this to work either. i really tried to get this to work for almost 2 days now.
i tried the lookup version but it tell me that theres no url specified, so i tried the other method like this:

- hosts: host1
  gather_facts: no
  tasks:
    - name: damn
      vars:
        ansible_hashi_vault_auth_method: token
        ansible_hashi_vault_token: <my token>
        ansible_hashi_vault_engine_mount_point: "data/ansible/proxmox/dc-workshop1"
        ansible_hashi_vault_url: http://127.0.0.1:8200
      ansible.builtin.debug:
        msg: '{{ item.values() | list }}'
      with_community.hashi_vault.vault_kv2_get:
        - user

this is the error this method is producing:
{"msg": "Invalid or missing path ['user'] with secret version 'latest'. Check the path or secret version."}

---

so i just use the curl version now:

---
- hosts: localhost
  gather_facts: no
  tasks:
    - name: Get all secrets under a specific path
      uri:
        url: http://127.0.0.1:8200/v1/keyvalue/data/ansible/proxmox/dc-workshop1
        method: GET
        return_content: yes
        headers:
          X-Vault-Token: <my token>
      register: result

    - name: Print all secrets
      debug:
        var: result.json.data

[ji-podhead]

would be awesome if there was a proper video or example for this thing

[carlos-lehmann]

It might be that your engine_mount_point is wrong. Check issue: #279 the default is secret. In my case it's kv and yours is data/ansible/proxmox/dc-workshop1 but that seems to me like the path to your secret and not the mount point.

[briantist]

yes @carlos-lehmann is correct, you should not be including KV2's data in the mount point (nor in the path).

[carlos-lehmann]

I've tried with env variables instead:
ANSIBLE_HASHI_VAULT_AUTH_METHOD
ANSIBLE_HASHI_VAULT_ROLE_ID
ANSIBLE_HASHI_VAULT_SECRET_ID
with no luck, same error.

further proof when I do a curl to vault with approle role_id and secret_id:

curl --request POST --data '{"role_id": "408b1d9d-5b67-458a-8bc2-REDACTED", "secret_id": "4901a2fc-ced3-5cda-eb8d-REDACTED"}' https://REDACTED:443/v1/auth/approle/login

I get:

{"request_id":"b7ccebf0-82a0-4820-3f7e-083f40c5150e","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":null,"auth":{"client_token":"hvs.REDACTED","accessor":"REDACTED","policies":["approle (auth_approle_REDACTED) 408b1d9d-5b67-458a-8bc2-REDACTED manager","default"],"identity_policies":["approle (auth_approle_REDACTED) 408b1d9d-5b67-458a-8bc2-REDACTED manager","default"],"metadata":{"role_name":"408b1d9d-5b67-458a-8bc2-REDACTED"},"lease_duration":3600,"renewable":true,"entity_id":"REDACTED","token_type":"service","orphan":true,"mfa_requirement":null,"num_uses":0}}

So generally speaking I can use the approle role_id and secret_id to authenticate to Vault and get a token back. Authentication just doesn't work with the Plugin :-(

Any further help to find the issue would be much appreciated!

[carlos-lehmann]

Some progress on my side... the problem is that authentication happens on the root namespace not on the one I give for the kv secret. Because of that either the login works with vault_kv2_get and then fetching the secret doesn't. Instead I'm now doing a login with vault_login plugin to get the token and then use that token to fetch the secret.

  tasks:
  - name: "login to vault"
    community.hashi_vault.vault_login:
      url: https://REDACTED:443
      auth_method: approle
      role_id: '408b1d9d-5b67-458a-8bc2-REDACTED'
      secret_id: '4901a2fc-ced3-5cda-eb8d-REDACTED'
    register: login_result

  - name: "Set vault_token as a fact"
    set_fact:
      vault_token: "{{ login_result['login']['auth']['client_token'] }}"

  - name: "Set secret data as a fact"
    set_fact:
      ssh_dev: "{{ lookup('community.hashi_vault.vault_kv2_get', 'my/kv/path', engine_mount_point='kv', namespace='my_namespace', token=vault_token, url='https://REDACTED:443')['secret']['my_field'] }}"

[briantist]

I was just typing up a response suspecting it was a namespace issue of some kind, and was going to suggest vault_login as a test.

It's especially interesting because the authentication code in the collection is shared between all plugins, so the fact that it works with vault_login is weird, maybe it's an issue of something not getting passed though.

I think this is worth opening a bug report issue for if you'd like to put the findings in there. Thanks for reporting!

[carlos-lehmann]

Hey @briantist

Thanks for the feedback, let me elaborate on here before I create a bug report.
So my suspicion is that authentication fails because I'm using namespace in vault_kv2_get:

"{{ lookup('community.hashi_vault.vault_kv2_get', 
'my/kv-path/secret', 
engine_mount_point='kv', 
url='https://REDACTED:443', 
namespace='my_vault_namespace', 
auth_method='approle', 
role_id='408b1d9d-5b67-458a-8bc2-REDACTED', 
secret_id='4901a2fc-ced3-5cda-eb8d-REDACTED')['secret']['my_field'] }}"

hvac.exceptions.Forbidden: permission denied, on post https://REDACTED:443/v1/auth/approle/login

And in vault_login I do not. Given the error message I'm not sure if the namespace really is the problem but as soon as I remove the namespace, the authentication works but fetching the secret won't as it is in another namespace.
I'm not sure if authentication in root and secrets in another namespace is an unsual concept but that's just the way it is here.

So after successful login I tried to workaround the problem by providing the namespace & mount point within the kv path as it's suggested in the documentation:
Optionally, this may be achieved by prefixing the authentication mount point and/or secret path with the namespace (e.g mynamespace/secret/mysecret).

Looking quickly at the actual API path (copied from the vault GUI) it supposed to be:
/v1/my_vault_namespace/kv/data/my/kv-path/secret
namespace followed by mount_point followed by kv-path.

if as suggested I use the mount point and secret path with the namespace in the secret path:

"{{ lookup('community.hashi_vault.vault_kv2_get', 
'my_vault_namespace/kv/data/my/kv-path/secret', 
url='https://REDACTED:443', 
auth_method='approle', 
role_id='408b1d9d-5b67-458a-8bc2-REDACTED', 
secret_id='4901a2fc-ced3-5cda-eb8d-REDACTED')['secret']['my_field'] }}"

Ansible's GET request will use this:
, on get https://REDACTED:443/v1/secret/data/my_vault_namepsace/kv/data/my/kv-path/secret

Which is wrong, as I have secret/dataand kv/data because engine_mount_point is defaulted to secret.
So I do need to use engine_mount_point and if I then use the namespace within the secret path:

"{{ lookup('community.hashi_vault.vault_kv2_get', 
'my_vault_namespace/my/kv-path/secret',
engine_mount_point='kv'
url='https://REDACTED:443', 
auth_method='approle', 
role_id='408b1d9d-5b67-458a-8bc2-REDACTED', 
secret_id='4901a2fc-ced3-5cda-eb8d-REDACTED')['secret']['my_field'] }}"

The GET request in ansible is:
, on get https://REDACTED:443/v1/kv/data/my_vault_namespace/my/kv-path/secret

And that's still wrong as namespace should be before the mount_point. And if I specify namespace it will fail again at login. So it seems to me there's no solution for my use case other than me using vault_login to login to vault and fetch a token and then use that in my vault_kv2_get lookups instead. What do you think?

[carlos-lehmann]

I also tried with an empty engine_mount_point and namespace & mount_point within the secret path:

"{{ lookup('community.hashi_vault.vault_kv2_get', 
'my_vault_namespace/kv/data/my/kv-path/secret', 
engine_mount_point=''
url='https://REDACTED:443', 
auth_method='approle', 
role_id='408b1d9d-5b67-458a-8bc2-REDACTED', 
secret_id='4901a2fc-ced3-5cda-eb8d-REDACTED')['secret']['my_field'] }}"

which results in:
, on get https://REDACTED:443/v1/data/my_vault_namespace/kv/data/my/kv-path/secret

so still one prefix data too much. I could imagine if that was gone, it could maybe work?

[briantist]

@carlos-lehmann thank you so much for elaborating! this makes a lot of sense and you went through all the permutations I would have suggested.

There is one other possible option which provides you with more control over the path, and that would be to use the vault_read plugin instead:

• https://docs.ansible.com/ansible/latest/collections/community/hashi_vault/vault_read_lookup.html

Since that plugin is not kv-aware, it isn't trying to do that level of path manipulation, and so you might be able to set the path to what it needs to be (by inserting /data/ in the right place), but you won't get the secret convenience return value from that plugin, so you'll have to index it as ['data']['data']['my_field'] or something like that.

In the end, using vault_login first and then using the resulting token might be the better way to achieve it.

You may want to consider using the module form of both plugins though, or at least for vault_login, to avoid excessive Vault logins. There's some more information on that here:

• https://docs.ansible.com/ansible/latest/collections/community/hashi_vault/docsite/lookup_guide.html

[carlos-lehmann]

I did look into that as well earlier but figured after getting this message, after using the wrong path within the vault cli:

 ~ export VAULT_NAMESPACE=my_vault_namespace
 ~ vault read "kv/data/my/kv-path/secret"
WARNING! The following warnings were returned from Vault:

  * Invalid path for a versioned K/V secrets engine. See the API docs for the
  appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get'
  for this operation.

that I probably shouldn't use the approach with vault read but should use kv instead. Maybe I'm to cautious and want to limit my playbook to just use kv 🤷
But to be honest I'm happy with using login in a different role and vault_kv2_get within my playbook roles. I will definitely check out modules vs lookup. Thank you 👍