I have a bunch of ssh keys in key=value form in a Hashicorp Vault which i have setup Ansible to be able to address.
I am trying to setup some new users with the keys i have stored, and failing. Basic info (username, group etc) is in a list of dicts i have created, called linux_users.
Here is how i grab the whole secret:
- name: set the required secret as fact
set_fact:
secret: "{{ lookup('hashi_vault', 'secret=/secret/data/Exploit/PAM url={{ vault_url }} token={{ vault_token.token.auth.client_token }}') }}"
no_log: true
delegate_to: localhost
I then use the vars lookup to try and get the ssh keys i want:
- debug:
msg: "{{ lookup('vars', 'secret.data.' + item.name) }}"
loop: "{{ linux_users }}"
The result is Ansible tells me the variable doesn't exist:
fatal: [localhost]: FAILED! => {}
MSG:
The task includes an option with an undefined variable. The error was: No variable found with this name: secret.data.pamlogon
The error appears to be in '/home/ansible/test/pamuser.yml': line 19, column 5, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- debug:
^ here
Yet if i debug the var by its name i get the correct answer:
ok: [localhost] => {
"secret.data.pamlogon": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...[abridged for security purposes]"
}
The variable is just named secret; secret.data.pamlogon is another way to access fields of that variable in Jinja and is (mostly) equivalent to secret['data']['pamlogon']. You do not need the vars lookup here at all, since you are using a single static variable name. Just use the normal accessor syntax:
msg: "{{ secret.data[item.name] }}"
or
msg: "{{ secret['data'][item.name] }}"