hashi_vault: Get token from env var or file

This allows getting the Vault token from the `VAULT_TOKEN` env var or
from the file `$HOME/.vault-token`, as both of these are understood by
the Vault CLI and are a common place to put Vault tokens. This allows
avoiding hard-coding a Vault token into playbooks or having to include
lookups.

`HOME/.vault-token` is nice because a user can authenticate with the CLI
using `vault auth` and then the token will be stored in
`$HOME/.vault-token`. If we read this file, then we allow someone to do
`vault auth` "out of band" to set up Vault access.
This commit is contained in:
Marc Abramowitz 2016-11-28 13:57:47 -08:00 committed by Brian Coca
parent aae1a00d7e
commit e2e4a69425

View file

@ -54,7 +54,16 @@ class HashiVault:
raise AnsibleError("Please pip install hvac to use this module")
self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
self.token = kwargs.get('token')
self.token = kwargs.get('token', os.environ.get('VAULT_TOKEN', None))
if self.token is None and os.environ.get('HOME'):
token_filename = os.path.join(
os.environ.get('HOME'),
'.vault-token'
)
if os.path.exists(token_filename):
with open(token_filename) as token_file:
self.token = token_file.read().strip()
if self.token is None:
raise AnsibleError("No Vault Token specified")