hashi_vault: Get token from env var or file
This allows getting the Vault token from the `VAULT_TOKEN` env var or from the file `$HOME/.vault-token`, as both of these are understood by the Vault CLI and are a common place to put Vault tokens. This allows avoiding hard-coding a Vault token into playbooks or having to include lookups. `HOME/.vault-token` is nice because a user can authenticate with the CLI using `vault auth` and then the token will be stored in `$HOME/.vault-token`. If we read this file, then we allow someone to do `vault auth` "out of band" to set up Vault access.
This commit is contained in:
parent
aae1a00d7e
commit
e2e4a69425
1 changed files with 10 additions and 1 deletions
|
@ -54,7 +54,16 @@ class HashiVault:
|
|||
raise AnsibleError("Please pip install hvac to use this module")
|
||||
|
||||
self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
|
||||
self.token = kwargs.get('token')
|
||||
|
||||
self.token = kwargs.get('token', os.environ.get('VAULT_TOKEN', None))
|
||||
if self.token is None and os.environ.get('HOME'):
|
||||
token_filename = os.path.join(
|
||||
os.environ.get('HOME'),
|
||||
'.vault-token'
|
||||
)
|
||||
if os.path.exists(token_filename):
|
||||
with open(token_filename) as token_file:
|
||||
self.token = token_file.read().strip()
|
||||
if self.token is None:
|
||||
raise AnsibleError("No Vault Token specified")
|
||||
|
||||
|
|
Loading…
Reference in a new issue