eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

Tutorial

Learn the safe vault retrieval flow with sample material.

Boundary
Read-only
Authority
idm, collection
Evidence
command-output

Retrieve your first IdM vault value

What You Will Build

A task that retrieves one lab vault value without printing it.

What You Need Before Starting

  • A lab vault containing non-production sample material
  • IdM client Python libraries in the control node or EE
  • Credentials allowed to retrieve the vault

Lab Assumptions

  • The vault is named app-bootstrap.
  • The value is fake lab data.
  • Every payload-bearing task uses no_log: true.

Step-By-Step Path

  1. Run a metadata-only check for the vault.
  2. Retrieve the value into a fact with no_log: true.
  3. Use only a redacted confirmation in output.

Create first-vault-retrieval.yml from the example below and keep the payload-bearing retrieval task redacted.

ansible-playbook first-vault-retrieval.yml

Example Tutorial Playbook

Retrieve one shared vault value, keep it redacted, and prove the workflow without printing the secret.

first-vault-retrieval.yml

---
- name: Retrieve one IdM vault value safely
  hosts: localhost
  gather_facts: false
  tasks:
    - name: Read a shared vault value into memory
      ansible.builtin.set_fact:
        app_secret: >-
          {{ lookup('eigenstate.ipa.vault',
                    'app-bootstrap',
                    server='idm-01.example.com',
                    kerberos_keytab='/runner/env/ipa/automation.keytab',
                    shared=true) }}
      no_log: true

    - name: Report only that retrieval succeeded
      ansible.builtin.debug:
        msg: "Retrieved app-bootstrap from IdM vault for this job."

Run It

ansible-playbook first-vault-retrieval.yml

Expected Evidence

The successful run confirms collection usage and stops output at shape-only proof.

PLAY [Retrieve one IdM vault value safely] *****************************

TASK [Read a shared vault value into memory] ***************************
ok: [localhost] => (output suppressed by no_log)

TASK [Report only that retrieval succeeded] ****************************
ok: [localhost] => {
    "msg": "Retrieved app-bootstrap from IdM vault for this job."
}

PLAY RECAP ************************************************************
localhost : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

What You Learned

  • Vault payloads can be consumed without copying them into inventory.
  • no_log: true belongs on payload-bearing tasks.
  • Reference output should show shape, not real secret values.

Next Page

Continue with /how-to/retrieve-idm-vault-secret.html.