From e2e4a69425a4128738846be24e16544b56a7cda9 Mon Sep 17 00:00:00 2001 From: Marc Abramowitz Date: Mon, 28 Nov 2016 13:57:47 -0800 Subject: [PATCH] hashi_vault: Get token from env var or file This allows getting the Vault token from the `VAULT_TOKEN` env var or from the file `$HOME/.vault-token`, as both of these are understood by the Vault CLI and are a common place to put Vault tokens. This allows avoiding hard-coding a Vault token into playbooks or having to include lookups. `HOME/.vault-token` is nice because a user can authenticate with the CLI using `vault auth` and then the token will be stored in `$HOME/.vault-token`. If we read this file, then we allow someone to do `vault auth` "out of band" to set up Vault access. --- lib/ansible/plugins/lookup/hashi_vault.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/ansible/plugins/lookup/hashi_vault.py b/lib/ansible/plugins/lookup/hashi_vault.py index 4d9bb4f6c38..d92bf149119 100644 --- a/lib/ansible/plugins/lookup/hashi_vault.py +++ b/lib/ansible/plugins/lookup/hashi_vault.py @@ -54,7 +54,16 @@ class HashiVault: raise AnsibleError("Please pip install hvac to use this module") self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR) - self.token = kwargs.get('token') + + self.token = kwargs.get('token', os.environ.get('VAULT_TOKEN', None)) + if self.token is None and os.environ.get('HOME'): + token_filename = os.path.join( + os.environ.get('HOME'), + '.vault-token' + ) + if os.path.exists(token_filename): + with open(token_filename) as token_file: + self.token = token_file.read().strip() if self.token is None: raise AnsibleError("No Vault Token specified")