The vault module allows to ensure presence and absence of vault and members of vaults.
The vault module is as compatible as possible to the Ansible upstream ipa_vault module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
- Vault management
FreeIPA versions 4.4.0 and up are supported by the ipavault module.
Controller
- Ansible version: 2.8+
Node
- Supported FreeIPA version (see above)
- KRA service must be enabled
Example inventory file
[ipaserver]
ipaserver.test.localExample playbook to make sure vault is present (by default, vault type is symmetric):
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
description: A standard private vault.Example playbook to make sure that a vault and its members are present:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
users: user01action controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set action to member.
Example playbook to make sure that a vault member is present in vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
users: user01
action: memberExample playbook to make sure that a vault owner is absent in vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
owner: user01
action: member
state: absentExample playbook to make sure vault data is present in a symmetric vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
password: SomeVAULTpassword
data: >
Data archived.
More data archived.
action: memberWhen retrieving data from a vault, it is recommended that no_log: yes is used, so that sensitive data stored in a vault is not logged by Ansible. The data is returned in a dict vault, in the field data (e.g. result.vault.data). An example playbook to retrieve data from a symmetric vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- name: Retrieve data from vault and register it in 'ipavault'
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
password: SomeVAULTpassword
state: retrieved
no_log: yes
register: ipavault
- name: Print retrieved data from vault
debug:
var: ipavault.vault.dataExample playbook to make sure vault data is absent in a symmetric vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
password: SomeVAULTpassword
action: member
state: absentExample playbook to change the password of a symmetric:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
old_password: SomeVAULTpassword
new_password: SomeNEWpasswordExample playbook to make sure vault is absent:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
state: absent
register: result
- debug:
msg: "{{ result.vault.data }}"| Variable | Description | Required |
|---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin |
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
name | cn |
The list of vault name strings. | yes |
description |
The vault description string. | no |
password | vault_password | ipavaultpassword | old_password |
Vault password. | no |
password_file | vault_password_file | old_password_file |
File containing Base64 encoded Vault password. | no |
new_password |
Vault new password. | no |
new_password_file |
File containing Base64 encoded new Vault password. | no |
public_key | vault_public_key | ipavaultpublickey |
Base64 encoded vault public key. | no |
public_key_file | vault_public_key_file |
Path to file with public key. | no |
private_key | vault_private_key | ipavaultprivatekey |
Base64 encoded vault private key. Used only to retrieve data. | no |
private_key_file | vault_private_key_file |
Path to file with private key. Used only to retrieve data. | no |
salt | vault_salt | ipavaultsalt |
Vault salt. | no |
vault_type | ipavaulttype |
Vault types are based on security level. It can be one of standard, symmetric or asymmetric, default: symmetric |
no |
username | user |
Any user can own one or more user vaults. | no |
service |
Any service can own one or more service vaults. | no |
shared |
Vault is shared. Default to false. (bool) | no |
users |
List of users that are members of the vault. | no |
groups |
List of groups that are member of the vault. | no |
services |
List of services that are member of the vault. | no |
owners | ownerusers |
List of users that are owners of the vault. | no |
ownergroups |
List of groups that are owners of the vault. | no |
ownerservices |
List of services that are owners of the vault. | no |
data |vault_data | ipavaultdata |
Data to be stored in the vault. | no |
in | datafile_in |
Path to file with data to be stored in the vault. | no |
out | datafile_out |
Path to file to store data retrieved from the vault. | no |
action |
Work on vault or member level. It can be on of member or vault and defaults to vault. |
no |
state |
The state to ensure. It can be one of present, absent or retrieved, default: present. |
no |
There is only a return value if state is retrieved.
| Variable | Description | Returned When |
|---|---|---|
vault |
Vault dict with archived data. (dict) Options: |
If state is retrieved and out is not defined. |
data - The vault data. |
Always |
ipavault uses a client context to execute, and it might affect execution time.
Rafael Jeffman