Last active
August 27, 2024 13:48
-
-
Save NiceRath/67d9fd819a0a088ce34eab7a767dff3a to your computer and use it in GitHub Desktop.
Ansible - Decrypt Vault and Pipe output to parent process
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # this can be useful in CI environments if you need to process config or secrets and pipe them to the parent process in a secure manner | |
| # example file: secrets.yml | |
| > my_secret1: !vault | | |
| > $ANSIBLE_VAULT;1.1;AES256 | |
| > ... | |
| > service_xyz: !vault | | |
| > $ANSIBLE_VAULT;1.1;AES256 | |
| > ... | |
| # example playbook: decrypt.yml | |
| > - name: Decrypt inline vault variables from a YAML file | |
| > hosts: localhost | |
| > gather_facts: no | |
| > tasks: | |
| > - name: Load secrets | |
| > ansible.builtin.include_vars: | |
| > file: 'secrets.yml' | |
| > name: vault_data | |
| > | |
| > - name: Decrypt and send to PIPE | |
| > ansible.builtin.debug: | |
| > msg: "{{ vault_data | to_json | write_secrets_to_pipe }}" | |
| # example: filter_plugins/util.py | |
| > import io | |
| > # import os | |
| > | |
| > class FilterModule(object): | |
| > def filters(self): | |
| > return { | |
| > 'write_secrets_to_pipe': self.write_secrets_to_pipe, | |
| > } | |
| > | |
| > def write_secrets_to_pipe(self, data: str): | |
| > w = io.open(69, 'wb', 0) | |
| > w.write(data.encode('utf-8')) | |
| > w.flush() | |
| > # print(os.listdir('/dev/fd/')) | |
| # write secrets to parent stdout | |
| ansible-playbook --ask-vault-pass decrypt.yml 69>&1 1>/dev/null 2>/dev/null |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment