【发布时间】:2019-08-24 06:26:39
【问题描述】:
我的 ansible playbook 中有以下任务:
- name: Generate vault token
uri:
url: "{{vault_address}}/v1/auth/github/login"
method: POST
body: "{ \"token\": \"{{ token }}\" }"
validate_certs: no
body_format: json
register: vault_token
- name: debug vault
debug:
msg: "{{vault_address}}/v1/{{vault_path}}/db2w-flex/{{region_name}}"
- name: Create secret in vault
uri:
url: "{{vault_address}}/v1/{{vault_path}}/db2w-flex/{{region_name}}"
method: POST
body: '{ "secret_access_key": "{{ (new_access_key.stdout |from_json).AccessKey.SecretAccessKey }}", "access_key_id": "{{ (new_access_key.stdout |from_json).AccessKey.AccessKeyId }}" }'
validate_certs: no
status_code: 204
headers:
X-VAULT-TOKEN: '{{ vault_token.json.auth.client_token }}'
body_format: json
此任务一直失败:
fatal: [localhost]: FAILED! => {"cache_control": "no-store", "changed": false, "content": "{\"errors\":[\"missing client token\"]}\n", "content_length": "36", "content_type": "application/json", "date": "Tue, 02 Apr 2019 20:16:03 GMT", "failed": true, "json": {"errors": ["missing client token"]}, "msg": "Status code was not [204]", "redirected": false, "status": 400}
相同的任务在另一台主机(kubernetes POD)上运行良好。我在一个新系统(docker容器)上运行它。客户端令牌已正确生成。我可以通过 curl 进行 POST,因此容器上没有网络问题。有什么方法可以调试正在传递的标头、正在命中的 url 等?我不知道缺少什么。
我没有使用 Vault cli。它全部基于 HTTP。
添加-vvvv后是日志:
TASK [Create secret in vault] **************************************************
task path: /deployment/updateVault.yml:16
ESTABLISH LOCAL CONNECTION FOR USER: root
127.0.0.1 EXEC ( umask 22 && mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1554241833.81-120109582683210 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1554241833.81-120109582683210 )" )
127.0.0.1 PUT /tmp/tmpDgx1F_ TO /root/.ansible/tmp/ansible-tmp-1554241833.81-120109582683210/uri
127.0.0.1 EXEC LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1554241833.81-120109582683210/uri; rm -rf "/root/.ansible/tmp/ansible-tmp-1554241833.81-120109582683210/" > /dev/null 2>&1
fatal: [localhost]: FAILED! => {"cache_control": "no-store", "changed": false, "content": "{\"errors\":[\"missing client token\"]}\n", "content_length": "36", "content_type": "application/json", "date": "Tue, 02 Apr 2019 21:50:34 GMT", "failed": true, "invocation": {"module_args": {"backup": null, "body": {"access_key_id": "xxxxxxxxxxxx", "secret_access_key": "5ovB684peTr8YpnNMQBn+xxxxxxxxxxx+"}, "body_format": "json", "content": null, "creates": null, "delimiter": null, "dest": null, "directory_mode": null, "follow": false, "follow_redirects": "safe", "force": null, "force_basic_auth": false, "group": null, "headers": {"X-VAULT-TOKEN": "eee90f1c-3c9e-edaf-32e6-b6cexxxxx"}, "method": "POST", "mode": null, "owner": null, "password": null, "regexp": null, "remote_src": null, "removes": null, "return_content": false, "selevel": null, "serole": null, "setype": null, "seuser": null, "src": null, "status_code": ["204"], "timeout": 30, "url": "https://vserv-us.sos.ibm.com:8200/v1/generic/user/akanksha-jain/db2w-flex/us", "user": null, "validate_certs": false}, "module_name": "uri"}, "json": {"errors": ["missing client token"]}, "msg": "Status code was not [204]", "redirected": false, "status": 400}
我尝试在同一个 pod 中运行包含上述所有详细信息的 curl,结果很好。
【问题讨论】:
-
有机会从服务器获取一些日志吗?
vault audit enable file file_path=stdout, vaultproject.io/docs/audit/file.html -
添加了更多细节。正如我所说,我没有使用 Vault cli。
-
我粘贴的审计命令会给你来自 Vault 方面的日志,而不是来自 ansibles 方面;)
标签: ansible hashicorp-vault ansible-vault