Morning Everyone I am using Delinea Privilege Vault as an external secret vault for the various credentials I use in Ansible Automation Platform 2. This has been working excellently for passing credentials to hosts I connect to within my playbooks.
However, my needs have now evolved to where I now need to pass the secrets as parameters to commands I run within the playbook. I've come across the following documentation that discusses this (click here <https://docs.ansible.com/ansible/latest/collections/community/general/tss_lookup.html>), but I noticed the lookup module requires a username/password or token to be passed as parameters of the lookup module. Since OAuth is a widely used authorisation protocol with Cloud services (which developers are likely to use Ansible to interface with), I wanted to start a broader discussion here with developers about best practices and what Ansible developers are doing vis-a-vis requesting and expiring access tokens in playbooks. Obviously, it makes sense to request a token at the beginning of the playbook and then expire the token as the last step of the playbook. The only problem I'm seeing there is that it requires me to pass the *client_id* and *client_secret* in as parameters into the playbook. Unless I specify *no_log* for that step, then those get credentials exposed in the headers of the token request. And, if I specify *no_log* I lose my ability to troubleshoot if there is ever an error thrown during the token request. And so, there starts one part of my conundrum. So, my first question starts with, is there some built-in generic OAuth token request module I can use to request and expire an access_token? Something that would allow me to store the *client_id* and *client_secret* in Privilege Vault, which I would pass as parameters and the Ansible module/task would request the access_token and provide some debugging without exposing the *client_id* and *client_secret*? And if that does not exist, then how are developers managing access tokens in your playbooks currently? Am I over thinking this? Regards, Tim -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/aca9cc8b-ac68-4dbf-8c15-5d978d3d4a02n%40googlegroups.com.
