-
-
Save gthieleb/0745439634d6eb7a1c80c6ff29ed94d4 to your computer and use it in GitHub Desktop.
Script to convert an ansible vault into a yaml file with encrypted strings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #Vault password is 1 | |
| echo "Converting vault to yaml format:" | |
| ansible-vault decrypt --output - vault | python ./convert_vault.py > new-vault.yml | |
| echo "Decrypting a variable from the converted vault" | |
| ansible localhost -i localhost, -e @new-vault.yml -m debug -a 'var=secret' --ask-vault-pas |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import re | |
| import yaml | |
| import argparse | |
| from ansible.parsing.vault import VaultLib | |
| from ansible.cli import CLI | |
| from ansible import constants as C | |
| from ansible.parsing.dataloader import DataLoader | |
| from ansible.parsing.yaml.dumper import AnsibleDumper | |
| from ansible.parsing.yaml.loader import AnsibleLoader | |
| from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode | |
| """ | |
| This script reads a yaml file and dumps it back while encrypting | |
| the values but keeping the keys plaintext. To convert an ansible | |
| vault file format into yaml you can do: | |
| ansible-vault decrypt --output - vault | \ | |
| python ./convert_vault.py > new-vault | |
| """ | |
| def encrypt_string(decrypted_secret, vault_id=None): | |
| """ | |
| Encrypts string | |
| """ | |
| loader = DataLoader() | |
| vault_secret = CLI.setup_vault_secrets( | |
| loader=loader, | |
| vault_ids=C.DEFAULT_VAULT_IDENTITY_LIST | |
| ) | |
| vault = VaultLib(vault_secret) | |
| return AnsibleVaultEncryptedUnicode( | |
| vault.encrypt(decrypted_secret, | |
| vault_id=vault_id)) | |
| def encrypt_dict(d, vault_id=None, pattern=None): | |
| for key in d: | |
| value = d[key] | |
| if isinstance(value, str): | |
| if not re.search(pattern, key): | |
| continue | |
| d[key] = encrypt_string(value, vault_id) | |
| elif isinstance(value, list): | |
| for item in value: | |
| encrypt_dict(item, vault_id=vault_id, pattern=pattern) | |
| elif isinstance(value, dict): | |
| encrypt_dict(value, vault_id=vault_id, pattern=pattern) | |
| def main(): | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument('--input-file', | |
| help='File to read from', | |
| default='-') | |
| parser.add_argument('--vault-id', | |
| help='Vault id used for the encryption') | |
| parser.add_argument('--pattern', | |
| default=r'password', | |
| help='Pattern of key that should be encrypted') | |
| args = parser.parse_args() | |
| in_file = sys.stdin if args.input_file == '-' else open(args.input_file) | |
| data = yaml.load(in_file, Loader=AnsibleLoader) | |
| encrypt_dict(data, vault_id=args.vault_id, pattern=args.pattern) | |
| print(yaml.dump(data, Dumper=AnsibleDumper)) | |
| if __name__ == "__main__": | |
| main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ANSIBLE_VAULT;1.1;AES256 | |
| 32656465316437646133376138393234386439303536343631343763396661386339366431346263 | |
| 3036313832303437623834633363396333343338643930640a343266336434383434646530386664 | |
| 61623665363935373738366634613363626132613861666432396630396436306534303265303430 | |
| 3637306164666265380a386431363364636666626263653864613866323235366638386261353433 | |
| 30643765623033353435313230663933353931616530663735303437393138663738 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment