vault-provision

Vault-Provision

The Ansible role for install and configure vault and then provision variables on it. Module supports RHEL/Centos6+7/Fedora for now. The role will be extended in the future and will support Debian/Ubuntu and other operating systems.

Requirements

This role requires Ansible 2.0 or higher.

Role Variables

Variable part is devided into three sections:

General part

### ########################################################### ###
### General section                                             ###
### ########################################################### ###

vault_token: "{{ lookup('env', 'VAULT_TOKEN') }}" # token to provision vault is taken from environment variables, unless you provide vault_token by extra vars or you override this value by your ansible variable

vault_app_mirror: 'https://releases.hashicorp.com' # Package repository
vault_app_platform: 'linux_amd64' # Which one platform are you interested in 
vault_app_install_dir: '/opt/vault' # Instalation directory where vault will be installed

vault_app: vault # Vault zip package name
vault_app_ver: '0.6.4' # Version of vault application
vault_app_checksum: sha256:04d87dd553aed59f3fe316222217a8d8777f40115a115dac4d88fac1611c51a6 # Checksum of the Vault zip package

vault_app_name : '{{vault_app}}_{{vault_app_ver}}_{{vault_app_platform}}' # Vault's package name to download
vault_app_zip : '{{vault_app_name}}.zip' # Vault's zip package to download
vault_app_url : '{{vault_app_mirror}}/{{vault_app}}/{{vault_app_ver}}/{{vault_app_zip}}' # Full URL to get the Vault package

method: http # Whether https or http should be use for provisioning process
vault_domain_name: vault.your.domain # Vault domain name or ip address
vault_api_version: v1 # Vault's REST API version
content_type: application/json # The content type of the http body request

vault_user: vault # Group which is allowed to run vault service
vault_group: vault # User which is allowed to run vault service

vault_service_enabled: true # Controls whether service automatically started

backend_type: file # backend used by you. All possible supported backends are listed at [`https://www.vaultproject.io/docs/config/index.html`](https://www.vaultproject.io/docs/config/index.html).

Configuration part

Variables for Configuration part are well described at vault website https://www.vaultproject.io/docs/config/index.html. Basicly variable names in this module reflect these in vault config documentation. You can define more than one vault_configuration.backend variable but just one will be use and you have to specify which one in backend_type variable in general section. The module is flexible and backend_type variable can be whatever backend which is supperted by Vault. In your config please keep only variables which is used by you. Rest of the variables can be commented out or just removed. For now all possible configuration variables are mention below:

### ########################################################### ###
### Configuration section                                       ###
### ########################################################### ###

vault_configuration:
  backend:
    consul:
      path: vault
      address: 127.0.0.1:8500
      scheme:
      check_timeout:
      disable_registration:
      service:
      service_tags:
      token:
      max_parallel:
      consistency_mode:
      tls_skip_verify:
      tls_min_version:
      tls_ca_file:
      tls_cert_file:
      tls_key_file:
    etcd:
      path:
      address:
      sync:
      ha_enabled:
      username:
      password:
      tls_ca_file:
      tls_cert_file:
      tls_key_file:
    zookeeper:
      path:
      address:
      auth_info:
      znode_owner:
    dynamodb:
      access_key:
      secret_key:
      table:
      read_capacity:
      write_capacity:
      session_token:
      endpoint:
      region:
      max_parallel:
      ha_enabled:
      recovery_mode:
    s3:
      bucket: bucket_name
      access_key: AKIAJWVN5Z4FOFT7NLNA
      secret_key: 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
      session_token:
      endpoint:
      region: us-east-1
    gcs:
      bucket:
      credentials_file:
      max_parallel:
    azure:
      accountName:
      accountKey:
      container:
      max_parallel:
    swift:
      container:
      username:
      password:
      auth_url:
      tenant:
      max_parallel:
    mysql:
      username:
      password:
      address:
      database:
      table:
      tls_ca_file:
    postgresql:
      connection_url:
      table:
    inmem:
    file:
      path: /opt/vault/storage
    ha_options:
      redirect_addr:
      cluster_addr:
      disable_clustering:
  listener: #"tcp" and "atlas" are valid values
    tcp:
      address: 0.0.0.0:8200
      tls_disable: 1
      cluster_address:
      tls_cert_file:
      tls_key_file:
      tls_min_version:
    atlas:
      endpoint:
      infrastructure:
      node_id:
      token:
    telemetry:
      statsite_address:
      statsd_address:
      disable_hostname:
      circonus_api_token:
      circonus_api_app:
      circonus_api_url:
      circonus_submission_interval:
      circonus_submission_url:
      circonus_check_id:
      circonus_check_force_metric_activation:
      circonus_check_instance_id:
      circonus_check_search_tag:
      circonus_check_display_name:
      circonus_check_tags:
      circonus_broker_id:
      circonus_broker_select_tag:
  ha_backend:
  cluster_name:
  cache_size:
  disable_cache: false
  disable_mlock: false
  default_lease_ttl:
  max_lease_ttl:
  ui:

Provision part

### ########################################################### ###
### Provision section                                           ###
### ########################################################### ###

backends: # Define backends which will be created
  - backend_name: secret # Backend named secret will be created if doesn't exist
    configuration:
      type: generic # Type of the backend
      description: This backend stores credentials of users # Description
      config:
        max_lease_ttl: 4000 # Max TTL time
    path: secret # Vault internal path where backend will be mounted 
    secrets: # Set of data container which will be created
      - container_name: authcredentials # Data container named authcredentials
        data: # Comprise all keys and values which will be provisioned into secret/authcredentials
          username: password 
          david: superstrongpasswordfordavid
          daniel: superstrongpasswordfordaniel
      - container_name: privatekeys # Data container named privatekeys
        data: # Comprise all keys and values which will be provisioned into secret/privatekeys
          key_name: encryptedkey
          key_for_mail: enctryptedkeyformail
  - backend_name: test # Backend named test will be created if doesn't exist
    configuration:
      type: generic # Type of the backend
    path: test # Vault internal path where backend will be mounted
    secrets: # Set of data container which will be created
      - container_name: test_container # Data container named test_container
        data: # Comprise all keys and values which will be provisioned into test/test_container
          important_data: importantdatavalue
          another_important_data: anotherimportantdatavalue

initialization: # PGP keys for initialization process
  root_token_pgp_key: mQENBFhZFd4BCADGj9gcnJHRwQk1UL8BxTugxmJ6uk82S837LWqzrsDv18zObBQK8bmTFps4x6DrUbLbxzHRB7kxbR5g/KN2qCqMYcYkKgLqMqo9XaS4vCriQKCFaZ3FWG99/TxUurPpy+crVCDun8UMGmWZCvRu7UBJQsAF1htukVhdEXAd1116WRD6W5k/+X6B6FvSAD7ud/PWUENdtLxiRgBVhRCHWPlJvdA7I7EaBjF5TMbwFP4wlSHxbdrWZ0z9wGk5FFbtl1qlNaojyJR1Gs3a7T7lB7y1dr6Y727JAYHP5uzQo06F0nfQm58sXtmeBnyhOHZ04BzXBik+Uoh9Bh1Uj7em0cP5ABEBAAG0T0tyenlzenRvZiBTemV3Y3p5ayAoRW5jcnlwdGlvbiBrZXkgZm9yIEhhc2hpY29ycCBWYXVsdCkgPGsuc3pld2N6eWtAa2Fpbm9zLmNvbT6JAT4EEwECACgFAlhZFd4CGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEMOj6FrFv4ik9bsH/3gmLKh8r2xhsbA79bEzBjNPDX9G6qeHfea+RMRjLH5yvNH9/Hnjwkqn3LIAdpzacldrjZMEpqS5z310gxk+cyNB/dFe/Wqmh1UQljDQ354qAZAtQ7OLuypVsg+tI8aIRQieCEC4Ck/h8xnAK8AoOHb29vR+BMNdqp+TNrDrAeYAKchmJiWcYxt5YqT4AP5JRzT82o2Sms3ihyFe1KxgcNbrNjJpEMoCnu8l5e1RrlIeMU8Hm5Mms1ZvausPfFlsa76shhOCZMfZ2acsuuTRqx8ed8UrSmDqAiia60BupsfRfMkqf/GdkEEESoRKhz1EHAUQiC9Flshyl/CjWqCIQCi5AQ0EWFkV3gEIAKLrtH904COoJhOjdqUQNSGu0TSsNik2Hd/v5A5KxG7a2iiqLOD73VvINaTHpwUjkWR3OcgRuqsnshST/qg3T1t8gghON70Pg6nKEPbDGabhA19fQ64woSvY6I2ZTv/XY0CxxDAVNN2O3rpl6ZnUgQBVjd/u4Nx3cydf30MnPtipb9bJ1ISZvWtMAYxAeiqd/6rcj/BXSQBt05ffDwPBd5+7pL7gQrJTa51icggKq06KwTfSdi0cPmqvOenKZB0exrp2jtxw1+QIhlhJJyv33fxaJHZaFqlh7vn6j7e03J4UaVPl5h/fnNg3i1uJJW9E6ECfAwRy394r7V1LUZ/GiEMAEQEAAYkBJQQYAQIADwUCWFkV3gIbDAUJAeEzgAAKCRDDo+haxb+IpJFmB/99Ss1U/dJA/XFwWofj3iEDM3W7OJoahYJLD7eOo3lPT8vNnLEVOPkSPjvaggkSsM3Xp5WZw2/oQ3p5KuIE2bSGK/Ok8zEAjEbn5vT4GNTBSH070OAQEHD5dEcYmh9EKSnitPXlLMOG/szsnReimBjLXRibU2wvuMeY7QO58K9kHm1K9cpNWuU5h8M4CMlBATvfl4ZeIBm6K9gmqKKxkF+7Mw1U8XG/OZv6GQwbMER3h7cdsor9LsOZTIdZW7bj9Iyh42hZHMcWq1E2VvHuklwJdpZfKlUs6b/6WwSPsypLLfHnO6C/G726MXH2JuZe5/fFpn+skxgbYNZ1y1BTnyvs # Public part of PGP key for vault root token encryption. After initialization process outputted root token is encrypted by this PGP public key
  secret_threshold: 1 # Define how many keys is required to unseal the vault (This value have to be less then length of the below pgp_keys array )
  pgp_keys: # Array defined how many keys will be created. The keys will be encrypted by below PGP keys
   - mQENBFhZFd4BCADGj9gcnJHRwQk1UL8BxTugxmJ6uk82S837LWqzrsDv18zObBQK8bmTFps4x6DrUbLbxzHRB7kxbR5g/KN2qCqMYcYkKgLqMqo9XaS4vCriQKCFaZ3FWG99/TxUurPpy+crVCDun8UMGmWZCvRu7UBJQsAF1htukVhdEXAd1116WRD6W5k/+X6B6FvSAD7ud/PWUENdtLxiRgBVhRCHWPlJvdA7I7EaBjF5TMbwFP4wlSHxbdrWZ0z9wGk5FFbtl1qlNaojyJR1Gs3a7T7lB7y1dr6Y727JAYHP5uzQo06F0nfQm58sXtmeBnyhOHZ04BzXBik+Uoh9Bh1Uj7em0cP5ABEBAAG0T0tyenlzenRvZiBTemV3Y3p5ayAoRW5jcnlwdGlvbiBrZXkgZm9yIEhhc2hpY29ycCBWYXVsdCkgPGsuc3pld2N6eWtAa2Fpbm9zLmNvbT6JAT4EEwECACgFAlhZFd4CGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEMOj6FrFv4ik9bsH/3gmLKh8r2xhsbA79bEzBjNPDX9G6qeHfea+RMRjLH5yvNH9/Hnjwkqn3LIAdpzacldrjZMEpqS5z310gxk+cyNB/dFe/Wqmh1UQljDQ354qAZAtQ7OLuypVsg+tI8aIRQieCEC4Ck/h8xnAK8AoOHb29vR+BMNdqp+TNrDrAeYAKchmJiWcYxt5YqT4AP5JRzT82o2Sms3ihyFe1KxgcNbrNjJpEMoCnu8l5e1RrlIeMU8Hm5Mms1ZvausPfFlsa76shhOCZMfZ2acsuuTRqx8ed8UrSmDqAiia60BupsfRfMkqf/GdkEEESoRKhz1EHAUQiC9Flshyl/CjWqCIQCi5AQ0EWFkV3gEIAKLrtH904COoJhOjdqUQNSGu0TSsNik2Hd/v5A5KxG7a2iiqLOD73VvINaTHpwUjkWR3OcgRuqsnshST/qg3T1t8gghON70Pg6nKEPbDGabhA19fQ64woSvY6I2ZTv/XY0CxxDAVNN2O3rpl6ZnUgQBVjd/u4Nx3cydf30MnPtipb9bJ1ISZvWtMAYxAeiqd/6rcj/BXSQBt05ffDwPBd5+7pL7gQrJTa51icggKq06KwTfSdi0cPmqvOenKZB0exrp2jtxw1+QIhlhJJyv33fxaJHZaFqlh7vn6j7e03J4UaVPl5h/fnNg3i1uJJW9E6ECfAwRy394r7V1LUZ/GiEMAEQEAAYkBJQQYAQIADwUCWFkV3gIbDAUJAeEzgAAKCRDDo+haxb+IpJFmB/99Ss1U/dJA/XFwWofj3iEDM3W7OJoahYJLD7eOo3lPT8vNnLEVOPkSPjvaggkSsM3Xp5WZw2/oQ3p5KuIE2bSGK/Ok8zEAjEbn5vT4GNTBSH070OAQEHD5dEcYmh9EKSnitPXlLMOG/szsnReimBjLXRibU2wvuMeY7QO58K9kHm1K9cpNWuU5h8M4CMlBATvfl4ZeIBm6K9gmqKKxkF+7Mw1U8XG/OZv6GQwbMER3h7cdsor9LsOZTIdZW7bj9Iyh42hZHMcWq1E2VvHuklwJdpZfKlUs6b/6WwSPsypLLfHnO6C/G726MXH2JuZe5/fFpn+skxgbYNZ1y1BTnyvs # Public part of PGP key for Vault key encryption.

policies: # Array of the policies that will be created
  - name: testpolicy # Name of the policy
    data: # Contain rules
      rules: "path \"secret/authcredentials\" {\n  policy = \"read\"\n}\npath \"test/test_container\" {\n  policy = \"read\"\n}\npath \"auth/token/lookup-self\" {\n  policy = \"read\"\n}" # Contain rules in plaintext HCL format

tokens: # Array of the tokens that will be created
  - display_name: test_token # Name of the token
    id: 950938df-50cb-7a24-faeh-b4f2a23g3b6f # Id of the token
    policies: # Array of the policies attached to token
      - testpolicy # Name of the policy attached to token

Another required variables:

During the first cycle of running this role the initialization process is performed. The unseal keys and vault root token are outputted and these values are encrypted by pgp_keys. The provisioning process is skipped. You have to depcypt the unseal keys. Then you have to unseal in some way (ssh to the machine and unseal vault by providing the decrypted keys or you define some job in continues integration tool which do it for you). The way how would you like to do it is up to you.

When you have Vault unsealed then decrypt vault root token and put decrypted value as a vault_token variable. Then you can define this value in your ansible in vars or set VAULT_TOKEN environment variable or call ansible with extra vars parameter like this:

ansible-playbook -i "<ip_address>," vault.yml --extra-vars '{"vault_token":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"}'

or the other way is to store vault_token value in continues integration tool and pass this value in your jenkins job or Jenkinsfile like this:

withCredentials([[$class: 'StringBinding', credentialsId: 'vault_token', variable: 'VAULT_TOKEN']])
  {
    sh '''
    ansible-playbook ./master.yml -i "<ip_address>," --extra-vars "env=$ENV"
    '''
  }

If you provide correct vault token and the vault is unsealed, during the second cycle the role will provision the vault. All backends, containers, keys and values, policies, tokens will be created.

Dependencies

The role has no external dependencies.

Example Playbook

You have to at least define your own variables in your playbook:

method: http # Suggest to use https
vault_domain_name: vault.your.domain
vault_configuration:
  backend:
    file:
      path: /opt/vault/storage
  listener: #"tcp" and "atlas" are valid values
    tcp:
      address: 0.0.0.0:8200
      tls_disable: 1
  disable_cache: false
  disable_mlock: false

You have to also define backends, secrets, policies which you would like to put into Vault and of course you have to define some initialization values like pgp keys for Vault keys encryption, pgp key for Vault root token encryption and secret threshold which define how many keys you/your team have to provide to unseal the Vault. Secret threshold must be less than length of the pgp_keys array. Let's adopt below variables as you want.

  - backend_name: secret
    configuration:
      type: generic
      description: This backend stores credentials of users
      config:
        max_lease_ttl: 4000
    path: secret
    secrets:
      - container_name: authcredentials
        data:
          username: password
          david: superstrongpasswordfordavid
          daniel: superstrongpasswordfordaniel
      - container_name: privatekeys
        data:
          key_name: encryptedkey
          key_for_mail: enctryptedkeyformail
  - backend_name: test
    configuration:
      type: generic
      #description:
      #config:
        #max_lease_ttl:
    path: test
    secrets:
      - container_name: test_container
        data:
          important_data: importantdatavalue
          another_important_data: anotherimportantdatavalue

initialization:
  root_token_pgp_key: mQENBFhZFd4BCADGj9gcnJHRwQk1UL8BxTugxmJ6uk82S837LWqzrsDv18zObBQK8bmTFps4x6DrUbLbxzHRB7kxbR5g/KN2qCqMYcYkKgLqMqo9XaS4vCriQKCFaZ3FWG99/TxUurPpy+crVCDun8UMGmWZCvRu7UBJQsAF1htukVhdEXAd1116WRD6W5k/+X6B6FvSAD7ud/PWUENdtLxiRgBVhRCHWPlJvdA7I7EaBjF5TMbwFP4wlSHxbdrWZ0z9wGk5FFbtl1qlNaojyJR1Gs3a7T7lB7y1dr6Y727JAYHP5uzQo06F0nfQm58sXtmeBnyhOHZ04BzXBik+Uoh9Bh1Uj7em0cP5ABEBAAG0T0tyenlzenRvZiBTemV3Y3p5ayAoRW5jcnlwdGlvbiBrZXkgZm9yIEhhc2hpY29ycCBWYXVsdCkgPGsuc3pld2N6eWtAa2Fpbm9zLmNvbT6JAT4EEwECACgFAlhZFd4CGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEMOj6FrFv4ik9bsH/3gmLKh8r2xhsbA79bEzBjNPDX9G6qeHfea+RMRjLH5yvNH9/Hnjwkqn3LIAdpzacldrjZMEpqS5z310gxk+cyNB/dFe/Wqmh1UQljDQ354qAZAtQ7OLuypVsg+tI8aIRQieCEC4Ck/h8xnAK8AoOHb29vR+BMNdqp+TNrDrAeYAKchmJiWcYxt5YqT4AP5JRzT82o2Sms3ihyFe1KxgcNbrNjJpEMoCnu8l5e1RrlIeMU8Hm5Mms1ZvausPfFlsa76shhOCZMfZ2acsuuTRqx8ed8UrSmDqAiia60BupsfRfMkqf/GdkEEESoRKhz1EHAUQiC9Flshyl/CjWqCIQCi5AQ0EWFkV3gEIAKLrtH904COoJhOjdqUQNSGu0TSsNik2Hd/v5A5KxG7a2iiqLOD73VvINaTHpwUjkWR3OcgRuqsnshST/qg3T1t8gghON70Pg6nKEPbDGabhA19fQ64woSvY6I2ZTv/XY0CxxDAVNN2O3rpl6ZnUgQBVjd/u4Nx3cydf30MnPtipb9bJ1ISZvWtMAYxAeiqd/6rcj/BXSQBt05ffDwPBd5+7pL7gQrJTa51icggKq06KwTfSdi0cPmqvOenKZB0exrp2jtxw1+QIhlhJJyv33fxaJHZaFqlh7vn6j7e03J4UaVPl5h/fnNg3i1uJJW9E6ECfAwRy394r7V1LUZ/GiEMAEQEAAYkBJQQYAQIADwUCWFkV3gIbDAUJAeEzgAAKCRDDo+haxb+IpJFmB/99Ss1U/dJA/XFwWofj3iEDM3W7OJoahYJLD7eOo3lPT8vNnLEVOPkSPjvaggkSsM3Xp5WZw2/oQ3p5KuIE2bSGK/Ok8zEAjEbn5vT4GNTBSH070OAQEHD5dEcYmh9EKSnitPXlLMOG/szsnReimBjLXRibU2wvuMeY7QO58K9kHm1K9cpNWuU5h8M4CMlBATvfl4ZeIBm6K9gmqKKxkF+7Mw1U8XG/OZv6GQwbMER3h7cdsor9LsOZTIdZW7bj9Iyh42hZHMcWq1E2VvHuklwJdpZfKlUs6b/6WwSPsypLLfHnO6C/G726MXH2JuZe5/fFpn+skxgbYNZ1y1BTnyvs
  secret_threshold: 1
  pgp_keys:
   - mQENBFhZFd4BCADGj9gcnJHRwQk1UL8BxTugxmJ6uk82S837LWqzrsDv18zObBQK8bmTFps4x6DrUbLbxzHRB7kxbR5g/KN2qCqMYcYkKgLqMqo9XaS4vCriQKCFaZ3FWG99/TxUurPpy+crVCDun8UMGmWZCvRu7UBJQsAF1htukVhdEXAd1116WRD6W5k/+X6B6FvSAD7ud/PWUENdtLxiRgBVhRCHWPlJvdA7I7EaBjF5TMbwFP4wlSHxbdrWZ0z9wGk5FFbtl1qlNaojyJR1Gs3a7T7lB7y1dr6Y727JAYHP5uzQo06F0nfQm58sXtmeBnyhOHZ04BzXBik+Uoh9Bh1Uj7em0cP5ABEBAAG0T0tyenlzenRvZiBTemV3Y3p5ayAoRW5jcnlwdGlvbiBrZXkgZm9yIEhhc2hpY29ycCBWYXVsdCkgPGsuc3pld2N6eWtAa2Fpbm9zLmNvbT6JAT4EEwECACgFAlhZFd4CGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEMOj6FrFv4ik9bsH/3gmLKh8r2xhsbA79bEzBjNPDX9G6qeHfea+RMRjLH5yvNH9/Hnjwkqn3LIAdpzacldrjZMEpqS5z310gxk+cyNB/dFe/Wqmh1UQljDQ354qAZAtQ7OLuypVsg+tI8aIRQieCEC4Ck/h8xnAK8AoOHb29vR+BMNdqp+TNrDrAeYAKchmJiWcYxt5YqT4AP5JRzT82o2Sms3ihyFe1KxgcNbrNjJpEMoCnu8l5e1RrlIeMU8Hm5Mms1ZvausPfFlsa76shhOCZMfZ2acsuuTRqx8ed8UrSmDqAiia60BupsfRfMkqf/GdkEEESoRKhz1EHAUQiC9Flshyl/CjWqCIQCi5AQ0EWFkV3gEIAKLrtH904COoJhOjdqUQNSGu0TSsNik2Hd/v5A5KxG7a2iiqLOD73VvINaTHpwUjkWR3OcgRuqsnshST/qg3T1t8gghON70Pg6nKEPbDGabhA19fQ64woSvY6I2ZTv/XY0CxxDAVNN2O3rpl6ZnUgQBVjd/u4Nx3cydf30MnPtipb9bJ1ISZvWtMAYxAeiqd/6rcj/BXSQBt05ffDwPBd5+7pL7gQrJTa51icggKq06KwTfSdi0cPmqvOenKZB0exrp2jtxw1+QIhlhJJyv33fxaJHZaFqlh7vn6j7e03J4UaVPl5h/fnNg3i1uJJW9E6ECfAwRy394r7V1LUZ/GiEMAEQEAAYkBJQQYAQIADwUCWFkV3gIbDAUJAeEzgAAKCRDDo+haxb+IpJFmB/99Ss1U/dJA/XFwWofj3iEDM3W7OJoahYJLD7eOo3lPT8vNnLEVOPkSPjvaggkSsM3Xp5WZw2/oQ3p5KuIE2bSGK/Ok8zEAjEbn5vT4GNTBSH070OAQEHD5dEcYmh9EKSnitPXlLMOG/szsnReimBjLXRibU2wvuMeY7QO58K9kHm1K9cpNWuU5h8M4CMlBATvfl4ZeIBm6K9gmqKKxkF+7Mw1U8XG/OZv6GQwbMER3h7cdsor9LsOZTIdZW7bj9Iyh42hZHMcWq1E2VvHuklwJdpZfKlUs6b/6WwSPsypLLfHnO6C/G726MXH2JuZe5/fFpn+skxgbYNZ1y1BTnyvs

policies:
  - name: testpolicy
    data:
      rules: "path \"secret/authcredentials\" {\n  policy = \"read\"\n}\npath \"test/test_container\" {\n  policy = \"read\"\n}\npath \"auth/token/lookup-self\" {\n  policy = \"read\"\n}"

tokens:
  - display_name: test_token
    id: 950938df-50cb-7a24-faeh-b4f2a23g3b6f
    policies:
      - testpolicy

Playbook can look like:

---
- name: Provision vault
  hosts: vault.your.domain
  roles:
  - vault-provision

Decrypt Vault keys and root token

During the first cycle of provisioning you get keys and root token:

TASK [vault-provision : debug] *************************************************
ok: [vaultprovision] => {
    "initialization": {
        "cache_control": "no-store",
        "changed": false,
        "connection": "close",
        "content_length": "1899",
        "content_type": "application/json",
        "date": "Wed, 28 Dec 2016 17:56:58 GMT",
        "json": {
            "keys": [
                "c1c04c03822c554bc14d713401080024fc6ac55a5966819561129600f055d8fc837e3371955b586887408d3d82c2eb4c897678137daaa39fddc0b1062d199db654b69bce20aebbade8fc7b20d2cf9cafc129a5e321542f332d37ecc1357314ead64eaa25131723197b90827c7c63fb7465ba8ae1ef762cc7dcb583df7246d95c7593efae3f7391e39dcb023f9d7933d6a553d510e30c643dc78939218cef2bca650e20fe7aa494157bde4a0c26a733321a597adc2b65c59110d408c764f3cdcc3082beccb89ff3103e6cc1c81f83dc00628cd5201edc3d36f58d6c2921798b7d2803254ebe3414eeef2bb923a0baaa21016c57193ab6e9abfe2f7a0baf7181200980d9bab7f1f2cd12c80a43aad455d2e001e4cf59665b131fd56e5a793f0fd5670891e1fb87e0bfe0f7e16799e084e2352a6027e0dce66f4b05d594f172c58717660a4ea46adf3bc240e134950c07f0c302d1458f5dccc14d95fc669004891903cd1a5a9ac2dcd9f25564238990cda2e0e3a57006cf9de0f4e498ddc6d2349e201378da85eceb979fa6e246ae4ea7e174a100"
            ],
            "keys_base64": [
                "wcBMA4IsVUvBTXE0AQgAJPxqxVpZZoGVYRKWAPBV2PyDfjNxlVtYaIdAjT2CwutMiXZ4E32qo5/dwLEGLRmdtlS2m84grrut6Px7INLPnK/BKaXjIVQvMy037ME1cxTq1k6qJRMXIxl7kIJ8fGP7dGW6iuHvdizH3LWD33JG2Vx1k++uP3OR453LAj+deTPWpVPVEOMMZD3HiTkhjO8rymUOIP56pJQVe95KDCanMzIaWXrcK2XFkRDUCMdk883MMIK+zLif8xA+bMHIH4PcAGKM1SAe3D029Y1sKSF5i30oAyVOvjQU7u8ruSOguqohAWxXGTq26av+L3oLr3GBIAmA2bq38fLNEsgKQ6rUVdLgAeTPWWZbEx/Vblp5Pw/VZwiR4fuH4L/g9+FnmeCE4jUqYCfg3OZvSwXVlPFyxYcXZgpOpGrfO8JA4TSVDAfwwwLRRY9dzMFNlfxmkASJGQPNGlqawtzZ8lVkI4mQzaLg46VwBs+d4PTkmN3G0jSeIBN42oXs65efpuJGrk6n4XShAA=="
            ],
            "root_token": "wcBMA4IsVUvBTXE0AQgAGQNSD1geNeecOe2Pta7ugXaCIIf80HEX7YJPouys2x6SzB844GG+zCEubsswFBANOgTMctTExC0Fs35vRhCTZakAkYuRLIirQXuFOxZ7avIIaCsv/sn8/R3gIRNWSiRX/m2snI3r49UkA7tJo8w/BKS9b+SQwzDwCAMNY04gXqOE++bJqY6Z/PEEebhuv7McJrA+s2SJj8zKst5DgXzm5tNhkr5/McQEntcHG/RZHBKtBbHppSLDibd98TODnHkcEm+DkhYgKhNQNEiTYzOTHoZtdwwgwd6tYfPYV9d4z/3SsEnXmRskEymJONLU4uMo6nlykNq8UxsqW3vc/xCDhNLgAeTfuOJ86dRgq0Q+2m1wxwBU4Zb34ALg5eEehOCM4nEi8KjgJOWob3JV0y74SJy1tUlXvbIeT5RwvLimvueEbOwVc1FlsuBm4k8V8ATgquRHGMHaat72Z3Q4906BTGb14thk+abhPsYA"
        },
        "msg": "OK (1899 bytes)",
        "redirected": false,
        "status": 200,
        "url": "http://192.168.60.10:8200/v1/sys/init"
    }
}

In the keys_base64 array of the received json you can see your keys encrypted by the provided earlier PGP or GPG keys in base64 format. To decrypt that you have to decode your base64 formated value and then decrypt by gpg1 tool (MacOS) or gpg tool (Linux).

echo "wcBMA4IsVUvBTXE0AQgAJPxqxVpZZoGVYRKWAPBV2PyDfjNxlVtYaIdAjT2CwutMiXZ4E32qo5/dwLEGLRmdtlS2m84grrut6Px7INLPnK/BKaXjIVQvMy037ME1cxTq1k6qJRMXIxl7kIJ8fGP7dGW6iuHvdizH3LWD33JG2Vx1k++uP3OR453LAj+deTPWpVPVEOMMZD3HiTkhjO8rymUOIP56pJQVe95KDCanMzIaWXrcK2XFkRDUCMdk883MMIK+zLif8xA+bMHIH4PcAGKM1SAe3D029Y1sKSF5i30oAyVOvjQU7u8ruSOguqohAWxXGTq26av+L3oLr3GBIAmA2bq38fLNEsgKQ6rUVdLgAeTPWWZbEx/Vblp5Pw/VZwiR4fuH4L/g9+FnmeCE4jUqYCfg3OZvSwXVlPFyxYcXZgpOpGrfO8JA4TSVDAfwwwLRRY9dzMFNlfxmkASJGQPNGlqawtzZ8lVkI4mQzaLg46VwBs+d4PTkmN3G0jSeIBN42oXs65efpuJGrk6n4XShAA==" | base64 -D | gpg1 -d

The result of the above command will be your decrypted key which is necessary to unseal Vault.

Let's do the same with your root_token:

echo "wcBMA4IsVUvBTXE0AQgAGQNSD1geNeecOe2Pta7ugXaCIIf80HEX7YJPouys2x6SzB844GG+zCEubsswFBANOgTMctTExC0Fs35vRhCTZakAkYuRLIirQXuFOxZ7avIIaCsv/sn8/R3gIRNWSiRX/m2snI3r49UkA7tJo8w/BKS9b+SQwzDwCAMNY04gXqOE++bJqY6Z/PEEebhuv7McJrA+s2SJj8zKst5DgXzm5tNhkr5/McQEntcHG/RZHBKtBbHppSLDibd98TODnHkcEm+DkhYgKhNQNEiTYzOTHoZtdwwgwd6tYfPYV9d4z/3SsEnXmRskEymJONLU4uMo6nlykNq8UxsqW3vc/xCDhNLgAeTfuOJ86dRgq0Q+2m1wxwBU4Zb34ALg5eEehOCM4nEi8KjgJOWob3JV0y74SJy1tUlXvbIeT5RwvLimvueEbOwVc1FlsuBm4k8V8ATgquRHGMHaat72Z3Q4906BTGb14thk+abhPsYA" | base64 -D | gpg1 -d

The result of the above command will be your decrypted key which is necessary to further Vault provisioning process - deployment backends, tokens and secrets into Vault. Like i mentioned before root token will be necessary during the second cycle of Vault provisioning and you have to pass root token to ansible as an extra vars:

ansible-playbook -i "<ip_address>," vault.yml --extra-vars '{"vault_token":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"}'

Notice: If vault_token variable is empty then second provision cycle will be skipped.

Sample curl queries to debug vault on localhost

Check whether vault is initialized

curl -X GET http://127.0.0.1:8200/v1/sys/init

Vault initialization

Simple initialization without - root token and keys will be output in plaintext:

curl -X GET -d '{"secret_shares": 1, "secret_threshold": 1}' http://127.0.0.1:8200/v1/sys/init

Intialization with root token and keys encryption:

curl -X PUT -d '{"root_token_pgp_key":"mQENBFhZPkcBCADNApFjN/XvU/yeF4SRoHWzcEmummdMop6GiJg+ji//RPpCqzTY2ww3insb/2alLn7/V5LfuOIIfCFId76sWh0ckIXMdC9EOWlkmJi+Vlncq1Q/KRrE0WyUr8AaAFTbc51AAtUWWR9JW+0GwEpJxTkD9nwdU9Q5o+QKjj8BQ83UdzsnY8hUxSxnyiuufC+XWphUJLeXbJnKaaLs4gu/hoJ6SThEta2vg3B4nXGj3a3U3NuMnmzTlHbODB+bmhSjby68JKflgcQm8kpfxj/+56oX7fGn2xscWA8lBq3GkCFAqzf8j4S1+yJrLgI6//Qv1upYC9UbfYSkzhGPhOHvZL4BABEBAAG0QUtyenlzenRvZiBTemV3Y3p5ayAoRm9yIEhhc2hpb2NvcnAgVmF1bHQpIDxrLnN6ZXdjenlrQGthaW5vcy5jb20+iQE/BBMBAgApBQJYWT5HAhsDBQkDwmcABwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQdL+2Ckh/nsDrZgf/X4Rib24zkLd57TcaKa1/exbRXi5LvC9/EQKeBAr1+SjYqJptgxpZkjcLL3D3d7Uzj8PFHpDy4u8HSEunCG6WtOmeJcTocVIOB2sHor/4jGCazo/Q50mg4ui6totH55Jn0uCxjwB2Mv+ypbE6I9iI25srxkfo06t1tbPcGoGqxSvJdNSlemdmgOphjcIk5uuK5LWD8jbt6TYx66sb0Patl5i77pvuFrBnq8WWVNe1NUpO+oNggMfxaW2RMVYXJRC/S7eH6GIpsPo+h/S4V6037bfeVzUvRcYvdZvL3PQpI7QehweUw6I96SCVASNLGBcWc3LnpTpEnHu98C5IxotCILkBDQRYWT5HAQgAyv4RIYutp1xkdzRTWNsh8ATVgM9q0ly9/qICGWfpvYvH16athvWCxt+ZWxEIFeuD03sLpHf21CR1E6+RH2y3w7Hj9WJGBZuiVNrOZU8tqfvr2N6XR81+re+ajwC5OS9hz0M+G7SN6V/cP4rHnEHVSPqvimD2vM9ahd6cqM1TyBVrwMsXfNshlDlJo7XZR3IbRd1QJLtIND+6Dbi87w64xJU5JbqjOib9Uvt5tYwT735j39k52xEvIRMgkclENBvxdb+J9stXOl7jl0WEBZOslfsmwc9KsNtQeDpDIo5gcEZkKBLyJnG3zMPzy4uBa31wSNzDCef98ytSLuXwipfZqwARAQABiQElBBgBAgAPBQJYWT5HAhsMBQkDwmcAAAoJEHS/tgpIf57A5RoH/3Y8E1fdS5KMhom33XuR+hW/A4cCsNWk5Y9OrQ+p5Beegubk1QVn8/QWWwT4IbmcFrOv/KkfO39gamL4W6t2G4Se+Oww2aHIx6BkSOnoxORLh4b0/tMUEk6hv+XxnfCyBBN661EdWAZx0U61KTIoh5PAUUKEECgSOA/C/o8iC2RcQZ157sd0JVyT3QoHF4t24y9IpK7ktOm5xEz53PFc+HeTjcSjhQwD3BRQmyWgEHt+ET+FRvpJLdjx4A2VZXqLYKeQMfwwtyijjkGTHUf5OcPAyErkFR9qQUym2adQ4NLbsmNYcnFN5JNPkzqk48v3ueEMAMTBa7OneaGAJoQdhJk=","secret_shares": 1, "secret_threshold": 1, "pgp_keys": [ "mQENBFhZPkcBCADNApFjN/XvU/yeF4SRoHWzcEmummdMop6GiJg+ji//RPpCqzTY2ww3insb/2alLn7/V5LfuOIIfCFId76sWh0ckIXMdC9EOWlkmJi+Vlncq1Q/KRrE0WyUr8AaAFTbc51AAtUWWR9JW+0GwEpJxTkD9nwdU9Q5o+QKjj8BQ83UdzsnY8hUxSxnyiuufC+XWphUJLeXbJnKaaLs4gu/hoJ6SThEta2vg3B4nXGj3a3U3NuMnmzTlHbODB+bmhSjby68JKflgcQm8kpfxj/+56oX7fGn2xscWA8lBq3GkCFAqzf8j4S1+yJrLgI6//Qv1upYC9UbfYSkzhGPhOHvZL4BABEBAAG0QUtyenlzenRvZiBTemV3Y3p5ayAoRm9yIEhhc2hpb2NvcnAgVmF1bHQpIDxrLnN6ZXdjenlrQGthaW5vcy5jb20+iQE/BBMBAgApBQJYWT5HAhsDBQkDwmcABwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQdL+2Ckh/nsDrZgf/X4Rib24zkLd57TcaKa1/exbRXi5LvC9/EQKeBAr1+SjYqJptgxpZkjcLL3D3d7Uzj8PFHpDy4u8HSEunCG6WtOmeJcTocVIOB2sHor/4jGCazo/Q50mg4ui6totH55Jn0uCxjwB2Mv+ypbE6I9iI25srxkfo06t1tbPcGoGqxSvJdNSlemdmgOphjcIk5uuK5LWD8jbt6TYx66sb0Patl5i77pvuFrBnq8WWVNe1NUpO+oNggMfxaW2RMVYXJRC/S7eH6GIpsPo+h/S4V6037bfeVzUvRcYvdZvL3PQpI7QehweUw6I96SCVASNLGBcWc3LnpTpEnHu98C5IxotCILkBDQRYWT5HAQgAyv4RIYutp1xkdzRTWNsh8ATVgM9q0ly9/qICGWfpvYvH16athvWCxt+ZWxEIFeuD03sLpHf21CR1E6+RH2y3w7Hj9WJGBZuiVNrOZU8tqfvr2N6XR81+re+ajwC5OS9hz0M+G7SN6V/cP4rHnEHVSPqvimD2vM9ahd6cqM1TyBVrwMsXfNshlDlJo7XZR3IbRd1QJLtIND+6Dbi87w64xJU5JbqjOib9Uvt5tYwT735j39k52xEvIRMgkclENBvxdb+J9stXOl7jl0WEBZOslfsmwc9KsNtQeDpDIo5gcEZkKBLyJnG3zMPzy4uBa31wSNzDCef98ytSLuXwipfZqwARAQABiQElBBgBAgAPBQJYWT5HAhsMBQkDwmcAAAoJEHS/tgpIf57A5RoH/3Y8E1fdS5KMhom33XuR+hW/A4cCsNWk5Y9OrQ+p5Beegubk1QVn8/QWWwT4IbmcFrOv/KkfO39gamL4W6t2G4Se+Oww2aHIx6BkSOnoxORLh4b0/tMUEk6hv+XxnfCyBBN661EdWAZx0U61KTIoh5PAUUKEECgSOA/C/o8iC2RcQZ157sd0JVyT3QoHF4t24y9IpK7ktOm5xEz53PFc+HeTjcSjhQwD3BRQmyWgEHt+ET+FRvpJLdjx4A2VZXqLYKeQMfwwtyijjkGTHUf5OcPAyErkFR9qQUym2adQ4NLbsmNYcnFN5JNPkzqk48v3ueEMAMTBa7OneaGAJoQdhJk="] }' http://127.0.0.1:8200/v1/sys/init

Get list of Vault's backends

curl -H "X-Vault-Token: your_root_token" -X GET http://127.0.0.1:8200/v1/sys/mounts

Create backend named test

curl -H "X-Vault-Token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -H "Content-Type: application/json" -X POST -d '{"type":"generic"}' http://127.0.0.1:8200/v1/sys/mounts/test

Get list of accessor tokens

curl -H "X-Vault-Token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -X LIST http://127.0.0.1:8200/v1/auth/token/accessors

Get list of policies

curl -X GET http://127.0.0.1:8200/v1/sys/policy

Create container named "example" in secret backend and output all these key*, vaules* in the "example" container.

curl -H "X-Vault-Token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -H "Content-Type: application/json" -X POST -d '{"key1":"value1", "key2": "value2"}' http://127.0.0.1:8200/v1/secret/example

Test

The tests directory contains tests for this role in the form of a Vagrant environment. After executing vagrant up in that directory, you should get an environment with one VM, attached to VirtualBox's default NAT network (Internet access is required to get vault package and dependencies).

The directory tests/roles/vault-provision is a symbolic link that should point to the root of this project in order to work.

The playbook test.yml applies the role to a VM, setting role variables.

vagrant provision should be running twice. First cycle is for initialization process. Then you have to unseal Vault. In second cycle you need to provide correct root token (decrypted by your private part of PGP or GPG key) in extra_vars.yml file.

Since now the box name is passed to Vagrantfile by parameter. You can test your changes on few different boxes by running for example:

vagrant --box=centos/6 up
vagrant --box=centos/7 up
vagrant --box=fedora/25-cloud-base up

If you skip box name default one will be used - centos/7.

Feedback, bug-reports, requests, ...

Issues, feature requests, ideas are appreciated and can be posted in the Issues section. Pull requests are also very welcome. Preferably, create a topic branch and when submitting, squash your commits into one (with a descriptive message).

Cheers !

License

MIT

Author Information

I attached links where you can find/get more information about me:

About

Ansible module for Hashicorp Vault provisioning

Install
ansible-galaxy install christophershoemaker/ansible-role-vault-provision
GitHub repository
License
Unknown
Downloads
56