“指定无效的Vault令牌。”hashi_vault.vault_pki_generate_certificate -可测

Question

我正试图在Ansible的帮助下从Hashicorp‘Ansible生成证书，如本链接https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/vault_pki_generate_certificate_module.html所述

我的任务是：

- name: Login and use the resulting token
  community.hashi_vault.vault_login:
    # url: http://127.0.0.1:8100
    auth_method: token
    token_file: /tmp/vault_token
  register: login_data

- name: check token
  debug:
    msg: "{{ login_data }}"

- name: Generate a certificate with an existing token
  community.hashi_vault.vault_pki_generate_certificate:
    role_name: blinchik_user_cert_ica2
    common_name: local-docker-registry.service.brain.consul
    url: http://127.0.0.1:8100/v1/pki/brain/v1/ica2/v1/issue
    ttl: 5760h
    auth_method: token
    token: "{{ login_data.login.auth.client_token }}"
  register: cert_data

但是，登录部分似乎无法生成证书。

错误

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Invalid Vault Token Specified."}

我测试了在"{{ login_data }}"中生成的令牌，它是一个有效的令牌。

使用领事模板，我可以这样生成证书：

{{ with secret "pki/brain/v1/ica2/v1/issue/blinchik_user_cert_ica2" "common_name=local-docker-registry.service.brain.consul" "ttl=30536000" }}
{{ .Data.certificate -}}
{{ end }}

有什么想法吗?我的配置有什么问题？

Answer 1

我试图把我的证书路线放在Vault的错误的地方( VAULT_ADDR或url )。相反，我把它放到了engine_mount_point中，它起了作用。

工作结构是：

- name: Generate a certificate with an existing token
  community.hashi_vault.vault_pki_generate_certificate:
    role_name: blinchik_user_cert_ica2
    engine_mount_point: pki/brain/v1/ica2/v1
    common_name: local-docker-registry.service.brain.consul
    url: http://127.0.0.1:8100
    ttl: 5760h
    auth_method: token
    token: "{{ login_data.login.auth.client_token }}"
  register: cert_data
  no_log: true