我的ansible剧本中有以下任务:
- name: Test on localhost
hosts: localhost
gather_facts: false
tasks:
- name: Get vault vaules
uri:
url: "{{vault_address_personal}}/v1/{{vault_path_personal}}/pg"
method: GET
validate_certs: no
headers:
X-Vault-Token: "36f8a4d9-64fd-a2ec-b45a-fd041f7e28df"
register: pg_value
此任务失败:
TASK [Get vault vaules] *******************************************************************************************************************************
fatal: [localhost]: FAILED! => {"cache_control": "no-store", "changed": false, "connection": "close", "content": "{\"errors\":[\"permission denied\"]}\n", "content_length": "33", "content_type": "application/json", "date": "Wed, 27 Mar 2019 15:44:29 GMT", "failed": true, "json": {"errors": ["permission denied"]}, "msg": "Status code was not [200]: HTTP Error 403: Forbidden", "redirected": false, "status": 403, "url": "https://vserv-us.sos.ibm.com:8200/v1/generic/user/xyz/pg"}
但是,当我卷曲时,我得到了正确的值:
curl --header "X-Vault-Token: 36f8a4d9-64fd-a2ec-b45a-fd041f7e28df" https://vserv-us.sos.ibm.com:8200/v1/generic/user/xyz/pg --insecure
{"request_id":"662fb6f5-5271-0551-de6b-cdf7d873f410","lease_id":"","renewable":false,"lease_duration":2764800,"data":{"password":"p0wn-me"},"wrap_info":null,"warnings":null,"auth":null}
看起来像ansible不考虑标题。这里有什么遗漏?
我也尝试过:
"X-Vault-Token": "36f8a4d9-64fd-a2ec-b45a-fd041f7e28df"
我经历了一些问题,它说标题可能会自动大写。所以也试过了
"X-VAULT-TOKEN": "36f8a4d9-64fd-a2ec-b45a-fd041f7e28df"
适用于卷曲。还试过postman并注意到有一个标题为授权自动添加邮递员值Basic Og==
所以尝试添加额外的标题。但没有任何效果。
还试过hashi_vault但得到了同样的错误:
- name: Return all secrets from a path
hosts: localhost
gather_facts: false
tasks:
- name: Return all secrets from a path
debug:
msg: "{{ lookup('hashi_vault', 'secret=generic/user/xyz/pg token=36f8a4d9-64fd-a2ec-b45a-fd041f7e28df url=https://vserv-us.sos.ibm.com:8200 validate_certs=False')}}"
经过大量的调试后,我发现网址形成存在一些问题。看错误很容易假设标题有问题。我希望当网址本身错误时,有一些更有用的错误,如404
或400
。