eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

How-to

Use this when Ansible or AAP needs a value already stored in an IdM vault.

Boundary
Read-only
Authority
idm, collection, ansible
Evidence
command-output

Retrieve an IdM vault secret

When To Use This

Use this when Ansible or AAP needs a value already stored in an IdM vault.

Required Authority

IdM owns the vault and payload. The lookup retrieves it under the caller authority. Ansible must avoid printing payload material.

Safety Boundary

This workflow is read-only. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.

Secret Handling

Do not print payload material. Use no_log: true on payload-bearing tasks. Review artifacts should redact secret values, and payload manifest rendering should be opt-in.

Inputs

  • Vault name and scope
  • Control-node or EE IdM client libraries
  • Credentials allowed to retrieve the vault payload

Steps

  1. Confirm the vault exists with metadata-only retrieval first.
  2. Retrieve the payload in a task marked no_log: true.
  3. Pass the value directly to the consuming task or render a redacted review artifact.
- name: Retrieve database password from IdM vault
  ansible.builtin.set_fact:
    db_password: "{{ lookup('eigenstate.ipa.vault', 'app-db-password', scope='shared') }}"
  no_log: true

Example Secret Retrieval

This playbook retrieves a shared IdM vault value into memory, keeps task output redacted, and uses the value without writing it to disk.

retrieve-vault-secret.yml

---
- name: Retrieve one IdM vault value for a job
  hosts: localhost
  gather_facts: false
  vars:
    ipa_server: idm-01.example.com
    ipa_keytab: /runner/env/ipa/automation.keytab
  tasks:
    - name: Read database password from a shared IdM vault
      ansible.builtin.set_fact:
        database_password: >-
          {{ lookup('eigenstate.ipa.vault',
                    'database-password',
                    server=ipa_server,
                    kerberos_keytab=ipa_keytab,
                    shared=true) }}
      no_log: true

    - name: Use the value in a protected task
      ansible.builtin.debug:
        msg: "Database password was retrieved for this job."
      no_log: true

Run It

ansible-playbook retrieve-vault-secret.yml

Expected Evidence

The live validation proves the vault payload was retrieved and verified without printing the payload:

{
  "vault_artifact": {
    "read_back_verified": true,
    "missing_failure_class": "vault_not_found",
    "mismatch_failure_class": "digest_mismatch"
  }
}

Troubleshooting

  • Vault not found: verify name and scope.
  • Authentication failure: verify IdM client libraries and Kerberos state.
  • Unexpected binary data: use encoding='base64'.