Skip to content

Instantly share code, notes, and snippets.

@mchubby

mchubby/Ansible-vault-id-script.md

Last active October 2, 2022 16:21
Show Gist options
  • Save mchubby/3cb173f09be474b6ebff521339c94fb5 to your computer and use it in GitHub Desktop.
Save mchubby/3cb173f09be474b6ebff521339c94fb5 to your computer and use it in GitHub Desktop.
Download ZIP
Trying to get Ansible --vault-id auto selection working
Raw
Ansible-vault-id-script.md

Base OS = Ubuntu 19.10

Relevant config item : https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-vault-id-match

Prequisites + Software Versions

$ sudo apt install ansible python3-passlib python3-keyring python3-keyrings.alt wget curl

$ python3 -V
Python 3.7.5rc1

$ ansible --version
ansible 2.8.3
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.7.5rc1 (default, Oct  8 2019, 16:47:45) [GCC 9.2.1 20191008]

Create playbook dir and config (--vault-id is an executable Python script)

Notice how we set vault_id_match = True in the config

$ mkdir work; cd $_
$ mkdir vars
$ curl https://raw.githubusercontent.com/alibaba/ansible-provider-docs/master/contrib/vault/vault-keyring-client.py | sed 's/env python$/env python3/' > ~/work/vault-keyring-client.py
$ chmod u+x ~/work/vault-keyring-client.py
$ ~/work/vault-keyring-client.py --vault-id first --set
Storing password in "user" user keyring using key name: first
Password: first
Confirm password: first
Please set a password for your new keyring: user
Please confirm the password: user
$ ~/work/vault-keyring-client.py --vault-id second --set
Storing password in "user" user keyring using key name: second
Password: second
Confirm password: second
Please enter password for encrypted keyring: user
$ cat > ~/work/ansible.cfg <<'EOF'
[defaults]
transport = local
vault_id_match = True
vault_identity_list = second@~/work/vault-keyring-client.py, first@~/work/vault-keyring-client.py

EOF

Create labeled secret and set it to a variable

$ ansible-vault encrypt_string --vault-id first@~/work/vault-keyring-client.py
Please enter password for encrypted keyring: user
Reading plaintext input from stdin. (ctrl-d to end input)
password
!vault |
          $ANSIBLE_VAULT;1.2;AES256;first
          62666538353333306637633030373538373232326637323138643864663338383838323639623035
          3034383530306263376466656663396335373335663038390a326236306539323461663630613933
          30393465333035396666623138623963363238336666373762636632633938313937393165656664
          3136393238623836610a376332353266383435623061633265313963366235653966326437306530
          3766
Encryption successful

$ cat > ~/work/vars/main.yml <<'EOF'
# variables for current playbook
---
mypassword: !vault |
  $ANSIBLE_VAULT;1.2;AES256;first
  62666538353333306637633030373538373232326637323138643864663338383838323639623035
  3034383530306263376466656663396335373335663038390a326236306539323461663630613933
  30393465333035396666623138623963363238336666373762636632633938313937393165656664
  3136393238623836610a376332353266383435623061633265313963366235653966326437306530
  3766
EOF

Create playbook

$ cat > ~/work/play.yml <<'EOF'
# Main playbook
---
- hosts: localhost
  vars_files: vars/main.yml
  tasks:
    - debug:
        msg: "Hello {{ inventory_hostname }}: {{ mypassword | mandatory }}"

EOF

Invokation 1: Pass unlabelled expects Python script to be called with --vault-id first

Expectation: since vault_id_match is True, the script should be called as little as possible (once with --vault-id first)

Note how used .cfg is our own.

$ ansible-playbook -vvvvv -i localhost, play.yml --vault-id ~/work/vault-keyring-client.py
ansible-playbook 2.8.3
  config file = /home/user/work/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.7.5rc1 (default, Oct  8 2019, 16:47:45) [GCC 9.2.1 20191008]
Using /home/user/work/ansible.cfg as config file
Reading vault password file: ~/work/vault-keyring-client.py
The vault password file ~/work/vault-keyring-client.py is a client script.
Executing vault password client script: /home/user/work/vault-keyring-client.py --vault-id second
Please enter password for encrypted keyring: user
Reading vault password file: ~/work/vault-keyring-client.py
The vault password file ~/work/vault-keyring-client.py is a client script.
Executing vault password client script: /home/user/work/vault-keyring-client.py --vault-id first
Please enter password for encrypted keyring: user
Reading vault password file: /home/user/work/vault-keyring-client.py
The vault password file /home/user/work/vault-keyring-client.py is a client script.
Executing vault password client script: /home/user/work/vault-keyring-client.py --vault-id None
 [WARNING]: Error in vault password file loading (None): Vault password client script /home/user/work/vault-keyring-client.py did not find a secret for vault-id=None: b'vault-keyring-client could not find
key="ansible" for user="user" via backend="chainer ChainerBackend"\n'

ERROR! Vault password client script /home/user/work/vault-keyring-client.py did not find a secret for vault-id=None: b'vault-keyring-client could not find key="ansible" for user="user" via backend="chainer ChainerBackend"\n'

Invokation 2: Do not pass any vault-id, let vault_identity_list be processed

This one succeeds only if vault_id_match is True.

$ ansible-playbook -vvvvv -i localhost, play.yml
ansible-playbook 2.8.3
  config file = /home/user/work/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.7.5rc1 (default, Oct  8 2019, 16:47:45) [GCC 9.2.1 20191008]
Using /home/user/work/ansible.cfg as config file
Reading vault password file: ~/work/vault-keyring-client.py
The vault password file ~/work/vault-keyring-client.py is a client script.
Executing vault password client script: /home/user/work/vault-keyring-client.py --vault-id second
Please enter password for encrypted keyring: user
Reading vault password file: ~/work/vault-keyring-client.py
The vault password file ~/work/vault-keyring-client.py is a client script.
Executing vault password client script: /home/user/work/vault-keyring-client.py --vault-id first
Please enter password for encrypted keyring: user
setting up inventory plugins
Set default localhost to localhost
Parsed localhost, inventory source with host_list plugin
 [WARNING]: Skipping plugin (/usr/lib/python3/dist-packages/ansible/plugins/connection/docker.py) as it seems to be invalid: No module named 'distutils.spawn'

 [WARNING]: Skipping plugin (/usr/lib/python3/dist-packages/ansible/plugins/connection/iocage.py) as it seems to be invalid: No module named 'distutils.spawn'

 [WARNING]: Skipping plugin (/usr/lib/python3/dist-packages/ansible/plugins/connection/jail.py) as it seems to be invalid: No module named 'distutils.spawn'

 [WARNING]: Skipping plugin (/usr/lib/python3/dist-packages/ansible/plugins/connection/kubectl.py) as it seems to be invalid: No module named 'distutils.spawn'

 [WARNING]: Skipping plugin (/usr/lib/python3/dist-packages/ansible/plugins/connection/libvirt_lxc.py) as it seems to be invalid: No module named 'distutils.spawn'

 [WARNING]: Skipping plugin (/usr/lib/python3/dist-packages/ansible/plugins/connection/lxd.py) as it seems to be invalid: No module named 'distutils.spawn'

 [WARNING]: Skipping plugin (/usr/lib/python3/dist-packages/ansible/plugins/connection/oc.py) as it seems to be invalid: No module named 'distutils.spawn'

 [WARNING]: Skipping plugin (/usr/lib/python3/dist-packages/ansible/plugins/connection/zone.py) as it seems to be invalid: No module named 'distutils.spawn'

Loading callback plugin default of type stdout, v2.0 from /usr/lib/python3/dist-packages/ansible/plugins/callback/default.py
 [WARNING]: Skipping plugin (/usr/lib/python3/dist-packages/ansible/plugins/callback/osx_say.py) as it seems to be invalid: No module named 'distutils.spawn'

 [WARNING]: Skipping plugin (/usr/lib/python3/dist-packages/ansible/plugins/callback/say.py) as it seems to be invalid: No module named 'distutils.spawn'


PLAYBOOK: play.yml ********************************************************************************************************************************************************************************************
Positional arguments: play.yml
verbosity: 5
connection: local
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('localhost,',)
forks: 5
1 plays in play.yml
Read vars_file 'vars/main.yml'
Read vars_file 'vars/main.yml'
Read vars_file 'vars/main.yml'

(snipped...)

ok: [localhost]
META: ran handlers
Read vars_file 'vars/main.yml'

TASK [debug] **************************************************************************************************************************************************************************************************
task path: /home/user/work/play.yml:6
Found a vault_id (first) in the vaulttext
We have a secret associated with vault id (first), will try to use to decrypt None
Trying to use vault secret=(ClientScriptVaultSecret(filename='/home/user/work/vault-keyring-client.py', vault_id='first')) id=first to decrypt None
Trying secret ClientScriptVaultSecret(filename='/home/user/work/vault-keyring-client.py', vault_id='first') for vault_id=first
Decrypt successful with secret=ClientScriptVaultSecret(filename='/home/user/work/vault-keyring-client.py', vault_id='first') and vault_id=first
ok: [localhost] => {
    "msg": "Hello localhost: password\n"
}
META: ran handlers
META: ran handlers

PLAY RECAP ****************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Invokation 3: vault_identity_list as plain script

$ cat > ~/work/ansible.cfg <<'EOF'
[defaults]
transport = local
vault_id_match = True
vault_identity_list = ~/work/vault-keyring-client.py

EOF

$ ansible-playbook -vvvvv -i localhost, play.yml
ansible-playbook 2.8.3
  config file = /home/user/work/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.7.5rc1 (default, Oct  8 2019, 16:47:45) [GCC 9.2.1 20191008]
Using /home/user/work/ansible.cfg as config file
Reading vault password file: ~/work/vault-keyring-client.py
The vault password file ~/work/vault-keyring-client.py is a client script.
Executing vault password client script: /home/user/work/vault-keyring-client.py --vault-id None
 [WARNING]: Error in vault password file loading (None): Vault password client script /home/user/work/vault-keyring-client.py did not find a secret for vault-id=None: b'vault-keyring-client could not find
key="ansible" for user="user" via backend="chainer ChainerBackend"\n'

ERROR! Vault password client script /home/user/work/vault-keyring-client.py did not find a secret for vault-id=None: b'vault-keyring-client could not find key="ansible" for user="user" via backend="chainer ChainerBackend"\n'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment