Advices for token management with AppRole

Vault
1

Bonjour !

I’m currently working on a Vault, actually in a pre-production environment for testing purpose and so, i’m still having some questions and need advices :blush:

My setup is pretty simple : 1x on-prem Vault server that hosts secrets that are retrieved by Ansible server through lookup method inside all playbooks.

From a Vault perspective, I created a dedicated AppRole for Ansible purpose :

vault write auth/approle/role/ansible-approle \
    token_policies="ansible-policy" \
    token_ttl=2h \
    token_max_ttl=2h \
    secret_id_bound_cidrs="X.X.X.X/32" \
    token_bound_cidrs="X.X.X.X/32" \

associated with the following policy :

vault policy write ansible-policy -<<EOF
path "kv/data/ansible" {
  capabilities = [ "read", "list"]
}

I wrote a bash script to generate a token from the role-id/secret-id of the approle above. This script is also manually executed :

VAULT_ROLE_NAME="ansible-approle"

#Role ID retrieval
role_id=$(vault read --format=json auth/approle/role/${VAULT_ROLE_NAME}/role-id | jq -r '.data.role_id')

# Secret ID retrieval - to execute only once ! 
#secret_id=$(vault write --format=json -f auth/approle/role/${VAULT_ROLE_NAME}/secret-id | jq -r '.data.secret_id')

# AppRole token retrieval
issued_token=$(vault write auth/approle/login role_id=$role_id secret_id=xxxx-xxxx-xxxx-xxx-xxxx | awk 'FNR == 3 {print $2}' )

# Export token to current env
export VAULT_ANSIBLE=$issued_token

Then, VAULT_ANSIBLE environment variable is updated with a valid token, and i configure ansible playbook to based themselves on this environment variable in the following way:

  vars:
    ansible_hashi_vault_token: "{{ lookup('env','VAULT_ANSIBLE') }}"
    test: "{{ lookup('community.hashi_vault.vault_kv2_get', 'my-secret', engine_mount_point='kv/', token=ansible_hashi_vault_token) }}"

By the way Ansible playbooks are launched within the same account (=service account which could use sudo rights) where everyone in my team may have access.

Everything works smoothly but I got some questions :

  1. Does this “workflow” seems ok or is there an easier way ?

  2. At the moment, token generation is done manually by executing the bash script so I want to easily handle the token generation/renewal automatically (is this a good practice ?)
    So ,is it fair to say :

  • Everytime a playbook is launched a new token should be automatically created ?
  • Everytime a playbook is launched, token validation is checked and automatically renewed/re-generated if needed ?

If this sounds fair, is there a native way to do this ?

Thanks a lot for your help !