1- name: "Setup block" 2 vars: 3 is_default_path: "{{ this_path == default_path }}" 4 path_key: "{{ this_path | replace('-','_') }}" 5 block: 6 - name: 'Enable the AppRole auth method' 7 vault_ci_enable_auth: 8 url: "{{ vault_addr }}" 9 token: "{{ vault_dev_root_token_id }}" 10 method_type: approle 11 path: '{{ omit if is_default_path else this_path }}' 12 13 - name: 'Create an approle policy' 14 vault_ci_policy_put: 15 url: "{{ vault_addr }}" 16 token: "{{ vault_dev_root_token_id }}" 17 name: approle-policy 18 policy: | 19 path "auth/{{ this_path }}/login" { 20 capabilities = [ "create", "read" ] 21 } 22 23 - name: 'Create a named role' 24 vault_ci_write: 25 url: "{{ vault_addr }}" 26 token: "{{ vault_dev_root_token_id }}" 27 path: 'auth/{{ this_path }}/role/test-role' 28 data: 29 # in docs, this is token_policies (changed in Vault 1.2) 30 # use 'policies' to support older versions 31 policies: "{{ 'test-policy' if is_default_path else 'alt-policy' }},approle-policy" 32 secret_id_ttl: 60m 33 34 - name: 'Fetch the RoleID of the AppRole' 35 vault_ci_read: 36 url: "{{ vault_addr }}" 37 token: "{{ vault_dev_root_token_id }}" 38 path: 'auth/{{ this_path }}/role/test-role/role-id' 39 register: role_id_cmd 40 41 - name: 'Get a SecretID issued against the AppRole' 42 vault_ci_write: 43 url: "{{ vault_addr }}" 44 token: "{{ vault_dev_root_token_id }}" 45 path: 'auth/{{ this_path }}/role/test-role/secret-id' 46 data: {} 47 register: secret_id_cmd 48 49 - name: register path-specific variables 50 set_fact: 51 '{{ path_key }}_role_id': "{{ role_id_cmd.result.data.role_id }}" 52 '{{ path_key }}_secret_id': "{{ secret_id_cmd.result.data.secret_id }}" 53