Uploaded image for project: 'Ansible Content Automation'
  1. Ansible Content Automation
  2. ACA-4884

hashicorp-vault-1.1.0 kv2_secret_get plugin

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • Unspecified
    • content
    • None
    • None
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None

      Description

      I am attempting to use the hashicorp.vault.kv2_secret_get plugin and running into an issue. I have been able to successfully read my secret data using the kv2_secret_info but cannot seem to the plugin to work using approle authentication. When I configure approle auth such as shown in the examples:

      - name: do lookup
      set_fact:
        secret_data: "{{ lookup('hashicorp.vault.kv2_secret_get',
                  auth_method='approle',
                  secret='testing/myTestSecret',
                  secret_mount_path='kv2Secret',
                  secret_id=vault_secret_id,
                  role_id=vault_role_id,
                  namespace='root',
                  version=1,
                  url='https://vault_url:8200') }}"
    - name: show
      debug:
        var: secret_data

      I get this error stating:

      TASK [do lookup] *****************************************************************************
[ERROR]: Task failed: Finalization of task args for 'ansible.builtin.set_fact' failed: Error while resolving value for 'secret_data': The lookup plugin 'hashicorp.vault.kv2_secret_get' failed: : No config definition exists for 'vault_approle_role_id' for 'ansible_collections.hashicorp.vault.plugins.lookup.kv2_secret_get' lookup plugin.Task failed.
Origin: /path/to/vaultTokenTest.yaml:38:736   tasks:
37
38     - name: do lookup
         ^ column 7<<< caused by >>>Finalization of task args for 'ansible.builtin.set_fact' failed.
Origin: /path/to/vaultTokenTest.yaml:39:737
38     - name: do lookup
39       set_fact:
         ^ column 7<<< caused by >>>Error while resolving value for 'secret_data': The lookup plugin 'hashicorp.vault.kv2_secret_get' failed: : No config definition exists for 'vault_approle_role_id' for 'ansible_collections.hashicorp.vault.plugins.lookup.kv2_secret_get' lookup plugin.
Origin: /path/to/vaultTokenTest.yaml:40:2238     - name: do lookup
39       set_fact:
40         secret_data: "{{ lookup('hashicorp.vault.kv2_secret_get',
                        ^ column 22fatal: [localhost]: FAILED! => {"changed": false, "msg": "Task failed: Finalization of task args for 'ansible.builtin.set_fact' failed: Error while resolving value for 'secret_data': The lookup plugin 'hashicorp.vault.kv2_secret_get' failed: : No config definition exists for 'vault_approle_role_id' for 'ansible_collections.hashicorp.vault.plugins.lookup.kv2_secret_get' lookup plugin."}

      I have tried numerous variations, using environment variables, and parameters named VAULT_APPROLE_ROLE_ID and VAULT_APPROLE_SECRET_ID as listed in the documentation without any luck, all yielding the same error. Additionally, looking at the ansible tests, there does not seem to be any test covering approle authentication.

      Version information:

       $ ansible --version 
ansible [core 2.19.3] 
...
executable location = /opt/homebrew/bin/ansible 
python version = 3.13.9 (main, Oct 14 2025, 13:52:31) [Clang 17.0.0 (clang-1700.0.13.3)] (/opt/homebrew/Cellar/ansible/12.1.0_1/libexec/bin/python) 
jinja version = 3.1.6 
pyyaml version = 6.0.3 (with libyaml v0.2.5)ansible-galaxy collection list hashicorp.vault# /<path>/<to>/.ansible/collections/ansible_collections
Collection      Version
--------------- -------
hashicorp.vault 1.1.0

      Control Node: arm architecture mac 

      Describe the impact to you or the business

      This prevents users from using the hashicorp-vault-1.1.0 kv2_secret_get plugin, degrading experience for all users.

      Frequency

      This happens every time approle authentication is used with the plugin

      Fix

      Was able to resolve by editing the Ansible plugin python file at plugins/plugin_utils/base.py  with the following diff to fix some param names with the parameters in the documentation

       else:
                 params = {
                     "vault_address": self.get_option("url"),
-                    "role_id": self.get_option("vault_approle_role_id"),
-                    "secret_id": self.get_option("vault_approle_secret_id"),
+                    "role_id": self.get_option("role_id"),
+                    "secret_id": self.get_option("secret_id"),
                     "vault_namespace": self.get_option("namespace"),
                 }

      Notes

      Please feel free to direct me elsewhere if this is not the correct location to open this bug, though I have no visibility to the original repo, this project, etc. so it may be best to email me at joshua.beha@ibm.com for any updates or if you need additional information.
      Also, it would be cool if in the future the plugin allowed custom CA's besides using the REQUESTS_CA_BUNDLE env var that does not appear to be documented (would be nice to have an example).

              Unassigned Unassigned
              joshuabeha Joshua Beha
              None
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: