Issue with LDAP and vault_login & vault_kv2_get modules.

[pickled-cucumber-3000]

When I try to get the secrets from the vault using the community.hashi_vault.vault_kv2_get and community.hashi_vault.vault_login ansible modules, there is a problem with LDAP.

The push does not come to the DUO, although the request seems to have been sent at the stage of using the vault_login module, because as a result I get(first part of output was removed to save space)

TASK [login]:
changed: [localhost] => {
    "changed": true,
    "login": {
           "auth": {
                "accessor": "",
                "client_token": "",
                "entity_id": "",
                "lease_duration": 0,
                "metadata": null,
                "mfa_requirement": {
                    "mfa_constraints": {
                        "DUO": {
                            "any": [
                                {
                                    "id": "some_first_id",
                                    "type": "duo"
                                }
                            ]
                        }
                    },
                    "mfa_request_id": "some_second_id"
                },
                "num_uses": 0,
                "orphan": false,
                "policies": null,
                "renewable": false,
                "token_type": "default"
            },
            "data": {},
            "lease_duration": 0,
            "lease_id": "",
            "renewable": false,
            "request_id": "some_another_second_id",
            "warnings": [
                "A login request was issued that is subject to MFA validation. Please make sure to validate the login by sending another request to mfa/validate endpoint."
            ],
            "wrap_info": null
        }

### Here is the playbook:

- name: Get the Secret  From Hashicorp Vault 
   hosts: 127.0.0.1
   tasks:
   - name: login
     community.hashi_vault.vault_login:
       auth_method: ldap
       mount_point: ldap
       url: https://vault.example.com
       username: myname
       password: mypassword
       timeout: 60
     register: login

   - name: get secret
     community.hashi_vault.vault_kv2_get:
       engine_mount_point: secret-kv2
       url: https://vault.example.com
       auth_method: token
       token: '{{ login | community.hashi_vault.vault_login_token }}'
       path: product/env/service
     register: secret

   - name: Display the results 
     ansible.builtin.debug:
       msg:
         - "Secret: {{ secret }}"

Maybe I made the playbook wrong?
I read almost all the documentation of the modules
community.hashi_vault... and looked into the Python scripts. The solution of an issue dosen't came to my mind.
Help my please with this issue.

[briantist]

Hi @nskylink ! Thanks for bringing this up.

At the moment, we don't support the "Login MFA" method in Vault. We also rely on the hvac library, which doesn't have support for it yet either.

So, I've opened this issue for adding support in hvac:

• Add support for Login MFA hvac/hvac#984

And this one to track that for community.hashi_vault:

• Support Vault Login MFA #369

I recommend subscribing to those issues if you want to get notified when there are any changes.

I doubt we'll see any movement on those issues in the short term, because there's a good chance I will implement them and my time is stretched super thin. If someone else from the community steps up to implement it, that would be great, but support for Login MFA can't be added in a vacuum because it needs to touch a lot of other areas of both codebases. Since I'm the only maintainer on this collection and the most active maintainer on hvac it will probably still require a decent chunk of my time.

---

In the meantime, it may be possible to workaround the issue in pure ansible, by using the returned values and making the MFA validation call yourself with ansible.builtin.uri, but I can't give an example right now and I haven't tested it.

If you come up with something it would b great to post it as a new answer here.

[pickled-cucumber-3000]

I came with updates. I tried to do the same, only through the ansible.builtin.uri module. As a result, I ran into the same problem. Even through curl the same result. I do not understand why this does not work, but it is described in the documentation of the same vault as a working option.

It remains for me to use one of the methods, this is an approle or a token.

[briantist]

If you post what you did exactly, it might be possible to help troubleshoot. But it also depends on the configuration of your Vault server.

[pickled-cucumber-3000]

curl -v -X POST -H 'Content-Type: application/json' -d '{ "password": "mypass" }' https://vault.example.com/v1/auth/ldap/login/alias

[briantist]

did you do the follow-up request to the mfa/validate endpoint?

[pickled-cucumber-3000]

What request are you talking about?
I ran this command and didn't get push notification in MFA DUO

[briantist]

In the return value of your request, it includes this warning:

A login request was issued that is subject to MFA validation. Please make sure to validate the login by sending another request to mfa/validate endpoint.

This means you or your Vault admin set it up to use "Login MFA" which is a specific way of doing MFA with Vault that requires either including your MFA info in the original request, or by doing an additional request after the login.

The reason this doesn't work with hvac and (by extension, community.hashi_vault) is that we don't have the logic for doing either of those things.

You can continue using community.hashi_vault.login the way you're currently doing, but the additional request is not supported right now and so you must do it another way (like with the uri module, or with curl or something).

I recommend checking out the links at the bottom of this issue:

• Add support for Login MFA hvac/hvac#984

[nratineau]

Until native support is added, if using Duo MFA with Vault which support Single Phase login. You can use the code below to generate a token then use it with the community.hashi_vault modules (using token auth).
https://developer.hashicorp.com/vault/docs/auth/login-mfa#single-phase-login

You can get the Duo MFA UUID from the UI under Access->Multi-factor Authentication
Or via the CLI vault auth list -detailed

- name: Generate a new Vault token
  ansible.builtin.uri:
    url: "https://<vault-url>/v1/auth/ldap/login/{{ vault_user }}"
    method: POST
    headers:
      X-Vault-MFA: "<your-duo-mfa-uuid>"
    body_format: json
    body:
      password: "{{ vault_user_password }}"
  register: login_data
  check_mode: false

- name: Store the Vault token
  ansible.builtin.set_fact:
    vault_token: "{{ login_data.json.auth.client_token }}"
  no_log: true
  check_mode: false