azure.azcollection.azure_keyvault_secret lookup – Read secret from Azure Key Vault.

Note

This lookup plugin is part of the azure.azcollection collection (version 3.13.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install azure.azcollection. You need further requirements to be able to use this lookup plugin, see Requirements for details.

To use it in a playbook, specify: azure.azcollection.azure_keyvault_secret.

New in azure.azcollection 1.12.0

Synopsis

  • This lookup returns the content of secret saved in Azure Key Vault.

  • When ansible host is MSI enabled Azure VM, user don’t need provide any credential to access to Azure Key Vault.

Requirements

The below requirements are needed on the local controller node that executes this lookup.

  • All python packages listed in collection’s requirements.txt must be installed via pip on the host that executes modules from azure.azcollection

  • Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection

  • The host that executes this module must have the azure.azcollection collection installed via galaxy

  • azure

  • python >= 2.7

  • requests

Terms

Parameter

Comments

Terms

string / required

Secret name, version can be included like secret_name/secret_version.

Keyword parameters

This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('azure.azcollection.azure_keyvault_secret', key1=value1, key2=value2, ...) and query('azure.azcollection.azure_keyvault_secret', key1=value1, key2=value2, ...)

Parameter

Comments

auth_source

string

Controls the source of the credentials to use for authentication.

Can also be set via the ANSIBLE_AZURE_AUTH_SOURCE environment variable.

When set to auto (the default) the precedence is module parameters -> env -> credential_file -> cli.

When set to env, the credentials will be read from the environment variables

When set to cli, the credentials will be sources from the Azure CLI profile. subscription_id or the environment variable AZURE_SUBSCRIPTION_ID can be used to identify the subscription ID if more than one is present otherwise the default az cli subscription is used.

When set to msi, the host machine must be an azure resource with an enabled MSI extension. subscription_id or the environment variable AZURE_SUBSCRIPTION_ID can be used to identify the subscription ID if the resource is granted access to more than one subscription, otherwise the first subscription is chosen.

The msi was added in Ansible 2.6.

Choices:

  • "auto" ← (default)

  • "cli"

  • "env"

  • "msi"

Configuration:

client_id

string

Azure client ID. Use when authenticating with a Service Principal or Managed Identity (msi).

Can also be set via the AZURE_CLIENT_ID environment variable.

Configuration:

cloud_environment

string

added in azure.azcollection 0.0.1

For cloud environments other than the US public cloud, the environment name (as defined by Azure Python SDK, eg, AzureChinaCloud, AzureUSGovernment), or a metadata discovery endpoint URL (required for Azure Stack). Can also be set via credential file profile or the AZURE_CLOUD_ENVIRONMENT environment variable.

Default: "AzureCloud"

Configuration:

cloud_type

string

Specify which cloud, such as azure, usgovcloudapi.

secret

string

Azure client secret. Use when authenticating with a Service Principal.

Configuration:

subscription_id

string

Your Azure subscription Id.

Configuration:

tenant

aliases: tenant_id

string

Azure tenant ID. Use when authenticating with a Service Principal.

Configuration:

use_cli

string

When use_cli=True, get the ‘az login’ credential authentication, default if false.

Deprecated, please use auth_source=cli instead.

use_msi

string

MSI token autodiscover.

The default is to try MSI authentication first, then use auth_source, You can disable MSI entirely by setting this to False.

Default: true

vault_url

string / required

Url of Azure Key Vault.

Notes

Note

  • When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters: lookup('azure.azcollection.azure_keyvault_secret', term1, term2, key1=value1, key2=value2) and query('azure.azcollection.azure_keyvault_secret', term1, term2, key1=value1, key2=value2)

  • If version is not provided, this plugin will return the latest version of the secret.

  • If ansible is running on Azure Virtual Machine with MSI enabled, client_id, secret and tenant are not required.

  • For enabling MSI on Azure VM, please refer to this doc https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/

  • After enabling MSI on Azure VM, remember to grant access of the Key Vault to the VM by adding a new Acess Policy in Azure Portal.

  • If MSI is not enabled on ansible host, it’s required to provide a valid service principal which has access to the key vault.

  • To authenticate via service principal, pass client_id, secret and tenant or set environment variables AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID.

  • Authentication via az login is also supported. Set use_cli=true when using Azure CLI.

  • To use a plugin from a collection, please reference the full namespace, collection name, and lookup plugin name that you want to use.

  • For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with az login.

  • Authentication is also possible using a service principal.

  • To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.

  • Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant.

See Also

See also

Sign in with Azure CLI

How to authenticate using the az login command.

Return Value

Key

Description

Return value

string

secret content string

Returned: success

Authors

  • Hai Cao (@tk5eq)

  • Marcin Slowikowski (@msl0)