"Invalid Vault Token Specified." hashi_vault.vault_pki_generate_certificate - Ansible

"Invalid Vault Token Specified." hashi_vault.vault_pki_generate_certificate - Ansible

我正在尝试在 Ansible 的帮助下从 Hashicorp 的 Vault 生成证书,如此 link https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/vault_pki_generate_certificate_module.html

我的 Ansible 任务:

- name: Login and use the resulting token
  community.hashi_vault.vault_login:
    # url: http://127.0.0.1:8100
    auth_method: token
    token_file: /tmp/vault_token
  register: login_data

- name: check token
  debug:
    msg: "{{ login_data }}"

- name: Generate a certificate with an existing token
  community.hashi_vault.vault_pki_generate_certificate:
    role_name: blinchik_user_cert_ica2
    common_name: local-docker-registry.service.brain.consul
    url: http://127.0.0.1:8100/v1/pki/brain/v1/ica2/v1/issue
    ttl: 5760h
    auth_method: token
    token: "{{ login_data.login.auth.client_token }}"
  register: cert_data

登录部分似乎有效,但生成证书无效。

错误

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Invalid Vault Token Specified."}

我确实测试了在 "{{ login_data }}" 中生成的令牌,它是一个有效的令牌。

使用 Consul-template,我可以这样生成证书:

{{ with secret "pki/brain/v1/ica2/v1/issue/blinchik_user_cert_ica2" "common_name=local-docker-registry.service.brain.consul" "ttl=30536000" }}
{{ .Data.certificate -}}
{{ end }}

知道我的配置有什么问题吗?

我试图将我的证书路由放在 Vault 中的错误位置(VAULT_ADDR 或 url)。相反,我把它放在 engine_mount_point 中并且它起作用了。

工作配置是:

- name: Generate a certificate with an existing token
  community.hashi_vault.vault_pki_generate_certificate:
    role_name: blinchik_user_cert_ica2
    engine_mount_point: pki/brain/v1/ica2/v1
    common_name: local-docker-registry.service.brain.consul
    url: http://127.0.0.1:8100
    ttl: 5760h
    auth_method: token
    token: "{{ login_data.login.auth.client_token }}"
  register: cert_data
  no_log: true