Skip to content

Instantly share code, notes, and snippets.

@realtebo

realtebo/ansible_vault.md

Last active November 3, 2020 00:28
Show Gist options
  • Save realtebo/74a492bad656e0f61d4db2468371a42d to your computer and use it in GitHub Desktop.
Save realtebo/74a492bad656e0f61d4db2468371a42d to your computer and use it in GitHub Desktop.
Download ZIP
How to use encrypted vault files for storing sensitive da ta and NOT enter a password every time :)
Raw
ansible_vault.md

How to use the vault with ansible

Prerequisites

pip install cryptography

Create the file

The EDITOR const is optional, but I use to show how to force the use of an editor instead of another.

Before creating the vault you will be prompted 2 times for the password.

cd <where you will have the main yml playbook/role file>
EDITOR=nano ansible-vault create vars/main.yml

Example of the vars/main.yml file

This folders and the related file must be created under the root of the ansible project; so the vars folder must be in the same level of the playbook, or of the roles folder

--
desktop_username="[email protected]"
desktop_password="0hMyGoat!"

Warning ! Copy/Pasting from previous snippet could bring the wrong quotes !! Manually check that you are using the standard double quote char and not the typographic" version;.

Usin nano, you must Ctrl-O + Ctrl+X to save; using vi you must write :wq aftter pressing ESC key. The file will be automatically crypted when you end

Show the encrypted content of the vault

cat ./vars/main.yml

This command show the file in the actual crypted version, for example:

$ansible_vault;1.1;aes256
35353531656635363966396361396632626435623935363337346438646534303735336633663966
6433313635306336643366346265323332393931313364300a313939306666396531303763313135
32323339333432653137623833333636383437303138316565363037336463393933386663353831
6633616530303535610a323130393462366430353263303733653961376333653435626263353533
30623535353932306233313963626339633561343865333337343064316635303962383730633763
39393331656436386538323065366464336261343961396135363561373935356136336166613535
31636561643462663461393261316663363431303439393036343861313332393165346538383262
34393138316162396361

Show the decrypted content of the vault

The following command shows you the file content, after you succesfully entered the password. This command do not alter the file, it will remain encrypted

ansible-vault view ./vars/main.yml

For example ...

---
desktop_username=”[email protected]”
desktop_password=”0hMyGoat!”

Example of how to use the vault's vars in a playbook

tasks:
- name: 'Include some additional variables'
  tags: 'debug'
  include_vars: main.yml
  win_get_url:
    username: "{{ desktop_username }}"
    password: "{{ desktop_password }}"
....

Please Note: include_vars must be used on the task level; also the include_vars is assuming the existence of the folder varsat the same level of the playbook, and that the main.yml file is inside of it.

Avoid to enter password every time

Create a plain text password file, but please keep it deleted, ignored via .gitignore, and away from customer's or coworkers' eyes.

See the directive DEFAULT_VAULT_PASSWORD_FILE in the /etc/ansible/ansible.cfg. To do it, search for vault_password_file, actually is at row 140, but obiously this row number will change.

Tips: using nano, Ctrl+C show you the current line number, and Ctrl+_ request to you the line number to go to.

vault_password_file = /home/realtebo/.ansible/.password

IMPORTANT ! Is not allowed to store vault password file in the home of the linux user; also, the file must have 644 (rw-r--r--) permissions

In the vault password file, simply enter a single word, the password.

So you can run

ansible-playbook <host_pattern> <playbook_file.yml>

without entering the password at all!

:)

Comments are very appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment