Configure KV2 modules
If you are using KV2 with community.hashi_vault collection, configure the corresponding modules in the hashicorp.vault collection.
Configure the hashicorp.vault.kv2_secret module
The hashicorp.vault.kv2_secret module performs Create, Update, and Delete (CRUD) operations on KV2 secrets through a unified interface.
Before you begin
- Install the Ansible Automation Platform certified
hashicorp.vaultcollection.
About this task
The corresponding community.hashi_vault modules are:
community.hashi_vault.vault_kv2_write- Write KV2 secrets.community.hashi_vault.vault_kv2_delete- Delete KV2 secrets.
Procedure
What to do next
Configure the hashicorp.vault.kv2_secret_info module
The hashicorp.vault.kv2_secret_info module reads KV2 secrets.
About this task
The corresponding community.hashi_vault module is:
community.hashi_vault.vault_kv2_get: Gets secrets from the HashiCorp Vault KV version 2 secret store.
Procedure
What to do next
Configure the hashicorp.vault.kv2_secret_get lookup plugin
The hashicorp.vault.kv2_secret_get lookup plugin module reads KV2 secrets.
About this task
The corresponding community.hashi_vault modules are:
community.hashi_vault.hashi_vault: Retrieves secrets from HashiCorp Vault.community.hashi_vault.vault_kv2_getlookup: Gets secrets from the HashiCorp Vault KV version 2 secret store.
Procedure
What to do next
Examples: hashicorp.vault.kv2_secret module
The following migration examples show basic before and after configurations for the hashicorp.vault.kv2_secret module.
KV2 delete operations are soft-delete.
Example 1: Basic Secret Write/Create
Before (community.hashi_vault):
- name: Write/create a secret
community.hashi_vault.vault_kv2_write:
url: https://vault:8200
path: hello
data:
foo: barAfter (hashicorp.vault):
- name: Write/create a secret
hashicorp.vault.kv2_secret:
url: https://vault:8200
path: hello
data:
foo: barExample 2: Basic Secret Delete
Before (community.hashi_vault):
- name: Delete the latest version of the secret/mysecret secret.
community.hashi_vault.vault_kv2_delete:
url: https://vault:8201
path: secret/mysecretAfter (hashicorp.vault):
- name: Delete the latest version of the secret/mysecret secret.
hashicorp.vault.kv2_secret:
url: https://vault:8201
path: secret/mysecret
state: absentExample 3: Secret Delete - specific version
Before (community.hashi_vault):
- name: Delete versions 1 and 3 of the secret/mysecret secret.
community.hashi_vault.vault_kv2_delete:
url: https://vault:8201
path: secret/mysecret
versions: [1, 3]After (hashicorp.vault):
- name: Delete versions 1 and 3 of the secret/mysecret secret.
hashicorp.vault.kv2_secret:
url: https://vault:8201
path: secret/mysecret
versions: [1, 3]
state: absentExamples: hashicorp.vault.kv2_secret_info module
The following migration examples show before and after configurations for the hashicorp.vault.kv2_secret_info module.
Example 1: Read a secret with token authentication
Before (community.hashi_vault)
- name: Read the latest version of a kv2 secret from Vault community.hashi_vault.vault_kv2_get:
url: https://vault.example.com:8200
token: "{{ vault_token }}"
path: myapp/config
register: responseAfter (hashicorp.vault)
- name: Read a secret with token authentication
hashicorp.vault.kv2_secret_info:
url: https://vault.example.com:8200
token: "{{ vault_token }}"
path: myapp/configExample 2: Read a secret with a specific version
Before (community.hashi.vault)
- name: Read version 5 of a secret from kv2
community.hashi_vault.vault_kv2_get:
url: https://vault.example.com:8200
path: myapp/config
version: 5After (hashicorp.vault)
- name: Read a secret with a specific version
hashicorp.vault.kv2_secret_info:
url: https://vault.example.com:8200
path: myapp/config
version: 1Examples: hashicorp.vault.kv2_secret_get lookup
The following migration example shows the KV2 secret get lookup for retrieving the latest version.
Example:
Before (community.hashi_vault)
- name: Return latest KV v2 secret from path
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/hello
token=my_vault_token
url=http://myvault_url:8200') }}"After (hashicorp.vault)
name: Return latest KV v2 secret from path
ansible.builtin.debug:
msg: "{{ lookup('hashicorp.vault.kv2_secret_get', 'secret=secret/data/hello
url=http://myvault_url:8200') }}"