[英]Ansible Tower - Using Azure Key Vault Secrets Within Playbooks
I am currently trying to utilize the Credential of type Microsoft Azure Key Vault
within a playbook.我目前正在尝试在剧本中使用Microsoft Azure Key Vault
类型的凭据。 From some googling I have found some resources on specifying Credential Types
and specifying a custom injector, but would prefer to achieve this with the built in credential if possible.通过一些谷歌搜索,我找到了一些关于指定Credential Types
和指定自定义注入器的资源,但如果可能的话,我更愿意使用内置凭证来实现这一点。
Currently, I have my key vault credentials properly configured and tested from the UI, and is able to find secrets using the service principal details I have supplied.目前,我已从 UI 正确配置和测试了我的密钥保管库凭据,并且能够使用我提供的服务主体详细信息找到机密。
I wish to use this credential to dynamically access and lookup secrets within my playbooks with some sort of command like {{ my_kv_store }}:secret_name
.我希望使用此凭据通过某种命令(例如{{ my_kv_store }}:secret_name
在我的剧本中动态访问和查找机密。 Is achieving this sort of functionality possible?实现这种功能是可能的吗?
Thanks in advance.提前致谢。
Decided to deviate away from trying to use Azure Key Vault
and went with the Credential Type route instead with the Azure cli within the playbook.决定放弃尝试使用Azure Key Vault
并使用凭据类型路由,而不是使用 playbook 中的 Azure cli。
Steps I followed:我遵循的步骤:
New Credential Type: Azure Service Principal新凭证类型: Azure 服务主体
# Input Configuration
fields:
- id: vault_url
type: string
label: Vault URL (DNS Name)
- id: client_id
type: string
label: Client ID
- id: client_secret
type: string
label: Client Secret
secret: true
- id: tenant_id
type: string
label: Tenant ID
required:
- vault_url
- client_id
- client_secret
- tenant_id
# Injector Configuration
env:
AZ_CLIENT_ID: '{{ client_id }}'
AZ_CLIENT_SECRET: '{{ client_secret }}'
AZ_TENANT_ID: '{{ tenant_id }}'
AZ_VAULT_URL: '{{ vault_url }}'
New Credential: Azure SP Creds新凭证: Azure SP 凭证
---
- name: grab test-secret from azure kv
hosts: localhost
gather_facts: false
connection: local
vars:
kv_secret_name: "test-secret"
tasks:
- name: set facts
set_fact:
az_vault_name: "kv-237-gr-vnet-devops"
az_tenant_id: '{{ lookup("env", "AZ_TENANT_ID") }}'
az_client_id: '{{ lookup("env", "AZ_CLIENT_ID") }}'
az_client_secret: '{{ lookup("env", "AZ_CLIENT_SECRET") }}'
az_vault_url: '{{ lookup("env", "AZ_VAULT_URL") }}'
- name: connect AZ CLI to Azure
shell: |
az login --service-principal -u "{{ az_client_id }}" -p "{{ az_client_secret }}" --tenant "{{ az_tenant_id }}"
args:
executable: /usr/bin/bash
- name: Retrieve secret and register as var
shell: az keyvault secret show --name "{{ kv_secret_name }}" --vault-name "{{ az_vault_name }}" --query value -o tsv
args:
executable: /usr/bin/bash
register: azure_secret
- debug:
msg: "{{ azure_secret.stdout }}"
# - name: Use creds to get KV secret
# azure_rm_keyvaultsecret_info
# debug: msg="the value of this secret is {{lookup('azure_kv',secretname,vault_url=url, client_id=client_id, secret=secret, tenant_id=tenant)}}"
- hosts: all
vars:
kv_secret: "{{ hostvars['localhost']['azure_secret']['stdout'] }}"
tasks:
- name: "Show the secret retrieved from localhost"
shell: echo "{{ kv_secret }}"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.