hashi_vault - add support for none auth type

changelogs/fragments/80-add-none-auth-type.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - hashi_vault lookup - add ``none`` auth type which allows for passive auth via a Vault agent (https://github.com/ansible-collections/community.hashi_vault/pull/80).

plugins/lookup/hashi_vault.py

@@ -125,6 +125,7 @@
     auth_method:
       description:
         - Authentication method to be used.
+        - C(none) auth method was added in collection version C(1.2.0).
       env:
         - name: VAULT_AUTH_METHOD
           deprecated:
@@ -147,6 +148,7 @@
         - approle
         - aws_iam_login
         - jwt
+        - none
       default: token
     return_format:
       description:
@@ -307,6 +309,14 @@
   ansible.builtin.debug:
     msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/hello:value', token=my_token, token_validate=False) }}"
 
+# "none" auth method does no authentication and does not send a token to the Vault address.
+# One example of where this could be used is with a Vault agent where the agent will handle authentication to Vault.
+# https://www.vaultproject.io/docs/agent
+
+- name: authenticate with vault agent
+  ansible.builtin.debug:
+    msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret/hello:value', auth_method='none', url='http://127.0.0.1:8100') }}"
+
 # Use a proxy
 
 - name: use a proxy with login/password
@@ -560,6 +570,8 @@ def auth_jwt(self):
         except (NotImplementedError, AttributeError):
             raise AnsibleError("JWT authentication requires HVAC version 0.10.5 or higher.")
 
+    def auth_none(self):
+        pass
     # end auth implementation methods
 
 
@@ -630,7 +642,7 @@ def field_ops(self):
     def auth_methods(self):
         # enforce and set the list of available auth methods
         # TODO: can this be read from the choices: field in documentation?
-        avail_auth_methods = ['token', 'approle', 'userpass', 'ldap', 'aws_iam_login', 'jwt']
+        avail_auth_methods = ['token', 'approle', 'userpass', 'ldap', 'aws_iam_login', 'jwt', 'none']
         self.set_option('avail_auth_methods', avail_auth_methods)
         auth_method = self.get_option('auth_method')
 
@@ -725,4 +737,6 @@ def validate_auth_aws_iam_login(self, auth_method):
     def validate_auth_jwt(self, auth_method):
         self.validate_by_required_fields(auth_method, 'role_id', 'jwt')
 
+    def validate_auth_none(self, auth_method):
+        pass
     # end auth method validators

tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/main.yml

@@ -22,6 +22,10 @@
 - include_tasks: tinyproxy_server.yml
   when: not vault_proxy_external | bool
 
+- import_tasks: tests.yml
+  vars:
+    auth_type: none
+
 - import_tasks: tests.yml
   vars:
     auth_type: token

tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/none_test.yml

@@ -0,0 +1,17 @@
+---
+# TODO: consider setting up a Vault agent in CI to provide a better test of the none method
+# TODO: unit tests can probably check easily that the none method results in a client with no token
+- name: "Test that a request with none auth_type is not successful"
+  vars:
+    ansible_hashi_vault_auth_method: none
+  debug:
+    msg: "{{ lookup('community.hashi_vault.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1') }}"
+  register: status
+  ignore_errors: yes
+
+- name: "Assert failure of expected type"
+  assert:
+    that:
+      - status is failed
+      - status.msg is search('missing client token')
+        # msg may need updating over time