How do you generate a kube service account token

[peterlai-roboops]

Hi

Im a bit confused, ive tried using the write, read, and generate token, but i don't seem to be getting anywhere.

So i have a role, which is a kube service account. I want vault to generate a new token for said service account.
I somehow got this working a few months back using the write function, but i forgot how, and now I can't seem to get anyting back.

There's nothing is data. Help please,

 ok: [awsdubdta] => {
15:51:27      "k8stoken": {
15:51:27          "changed": true,
15:51:27          "data": {},
15:51:27          "failed": false
15:51:27      }
15:51:27  }

[briantist]

Hi @peterlai-roboops I'd need more information to see if I could help with this. Can you show actual Ansible tasks you're trying to run?

Please keep in mind that this collection is an Ansible wrapper to hvac, which is a Python wrapper to the Vault HTTP API.

In this collection, vault_read is a very generic way to do a GET request against a Vault path. Similarly vault_write does a POST request (in Vault POST and PUT are equivalent).

To use these effectively to perform Vault operations that we don't have dedicated content for, you must understand the underlying Vault API endpoints, including what data they expect.

If you can provide more information about what you're running, which HTTP endpoint(s) you're trying to hit, and what errors or other output you're receiving, it might be possible to get some additional feedback.

[peterlai-roboops]

I guess the problem is 2 part, first I don't know which api method allows me to generate a new credentials, i've tried the below, hoping that it returns with a new token.

curl -X 'GET' \
  'https://vault.emirates.group/v1/kubernetes_aws_dta_cluster/roles/token_generation_test2' \
  -H 'accept: */*' \
  -H 'X-Vault-Token: gfdgfgfdgf' \
  -H 'X-Vault-Namespace: ekg_prd/cmp'

Which is the equiv of this, i guess.

- name: Generate a K8
  when: true
  tags:
    - always
    - create-project
  community.hashi_vault.vault_write:
    token: "dddd"
    url: "https://vault.emirates.group"
    namespace: "efsdf/cmp"
    path: "kubernetes_aws_dta_cluster/creds/token_generation_test2"
#  no_log: false
  register: k8stoken

[briantist]

Unfortunately I'm not really familiar with this workflow, but if you're doing a GET request with curl, then the equivalent is vault_read, but typically a GET request does not generate tokens or other data, so vault_write (a PUT or POST request) is probably the correct one to use. You'll have to check the Vault HTTP API documentation to be sure.

[peterlai-roboops]

curl -X 'POST' \
  'https://vault.vaulty.group/v1/kubernetes_aws_dta_cluster/creds/token_generation_test2' \
  -H 'accept: */*' \
  -H 'Content-Type: application/json' \
  -H 'X-Vault-Token: fdsfdsfd' \
  -H 'X-Vault-Namespace: ekg_prd/cmp' \
  -d '{
  "audiences": [
    "string"
  ],
  "cluster_role_binding": false,
  "kubernetes_namespace": "utilities",
  "ttl": "1h"
}'

So the above is what i was trying to do, once i figured out that i needed this

  "cluster_role_binding": false,
  "kubernetes_namespace": "utilities",
  "ttl": "1h" 
  

The rest was easy.

  - name: Generate a K8
  when: true
  tags:
    - always
  community.hashi_vault.vault_write:
    token: "{{ lookup('ansible.builtin.env', 'VAULT_TOKEN') }}"
    url: "https://vault.vaulty.group"
    namespace: "ekg_prd/cmp"
    path: "{{ vault_roles | mandatory }}"
    data:
      kubernetes_namespace: "utilities"
      cluster_role_binding: false
      ttl: "1h"
  no_log: true
  register: k8stoken