extract hashicorp vault secrets as values in ansible playbook

Question

I am trying to extract specific value from kv2 hashicorp vault in ansible playbook using hashi_vault module

- name: Return specific value from vault
  ansible.builtin.set_fact:
    secret: "{{ lookup('hashi_vault', 'secret=my.secrets/data/dev/heslo:value token=vault-plaintext-root-token url=http://10.47.0.235:8200/')}}"   register: secret

I am getting

 {"msg": ""An unhandled exception occurred while running the lookup plugin 'hashi_vault'. Error was a <class 'ansible.errors.AnsibleError'>, original message: The secret my.secrets/data/dev/heslo doesn't seem to exist for hashi_vault lookup"}

Query works for all of the secrets in path using

secret=my.secrets/data/dev/

"heslo" record exists in the path

      "ansible_facts": {
            "secret": {
                "data": {
                    "heslo": "heslo",
                    "password": "test",
                    "username": "ahoj"
                },

Thank you in advance

Answer 1

The syntax for your lookup is for the KV1 engine. We can update it for the KV2 secrets engine:

- name: Return specific value from vault
  ansible.builtin.set_fact:
    secret: "{{ lookup('hashi_vault', 'secret=my.secrets/data/dev token=vault-plaintext-root-token url=http://10.47.0.235:8200/') }}"

The secret fact will then be a dictionary containing all of the key value pairs at the specified secrets path my.secrets/data/dev. You can access the value of the key heslo with the normal syntax secret['heslo'].

Finally, you may also want to update to the Vault collection for Ansible with all of its newer features.