azure - 无法在 ansible 中获取 azure key vault secret

Question

我尝试使用azcollection 1.9.0 从我的 ansible 4 playbook 中的 azure key vault 获取一个秘密。

- name: Get secret value
  azure_rm_keyvaultsecret_info:
    vault_uri: https://my-vault.vault.azure.net/
  register: kvSecret

根据文档，结果应该包含一个秘密列表，其中包含一个名为secret包含秘密值的属性。

但是，结果集中不存在此属性。这是我得到的结果：

{
    "changed": False,
    "secrets": [
        {
            "sid": "https: //my-vault.vault.azure.net/secrets/ssh-user-username",
            "version": "",
            "tags": {},
            "attributes": {
                "enabled": True,
                "not_before": None,
                "expires": None,
                "created": "2021-09-05T14:32:10+00:00",
                "updated": "2021-09-05T14:32:10+00:00",
                "recovery_level": "Recoverable+Purgeable"
            }
        }
    ],
    "failed": False
}

如果我尝试使用该name选项获取这个确切的秘密，我会得到一个空的结果集。

我的保管库包含此密钥，它有一个值，并且服务主体可以通过 IAM 访问我的密钥保管库，其角色Key Vault Reader和Key Vault Secrets User.

Answer 1

我在我的环境中对其进行了测试，我的服务主体使用以下 yml 代码拥有 Key vault reader 和 Key vault secrets 用户。

---
- hosts: localhost
  connection: local
  collections:
    - azure.azcollection

  vars:
    vault_name: Testansumankeyvault01
    secret_name: adminPassword

  tasks:

  - name: Get Key Vault by name
    azure_rm_keyvault_info:
      resource_group: test-rg
      name: "{{ vault_name }}"
    register: keyvault

  - name: Set key vault URI fact
    set_fact: keyvaulturi="{{ keyvault['keyvaults'][0]['vault_uri'] }}"

  - name: Get secret value
    azure_rm_keyvaultsecret_info:
      vault_uri: "{{ keyvaulturi }}"
      name: "{{ secret_name }}"
    register: kvSecret

  - name: set secret fact
    set_fact: secretValue="{{ kvSecret['secrets'][0]['secret'] }}"

  - name: Output key vault secret
    debug: 
      msg="{{ secretValue }}"

参考：

Azure built-in roles - Azure RBAC | Microsoft Docs

Use Azure Key Vault to store VM secrets with Ansible | Microsoft Docs

Answer 2

Turns out that this was an issue with the authentication. Ansible is connecting to my remote machine via ssh and therefore I needed to set the authentication for azure. I was doing this with environment variables in my ansible playbook but it turns out that they are not set when the playbook runs it's tasks. Passing them explicitly to the command does the trick.