zdtsw · November 13, 2017 12:21
diff --git a/Vault.txt b/Vault.txt
 #ansible-vault file#
 create a file in your ansible, e.g mySecret.yml
 >cat mySecret.yml
 ---
 myBankId: | 
  12345
 myPin: |
  abcd
 myJenkinsPsw: |
  !"#¤%  
 >ansible-vault encrypt mySecret.yml --vault-password-file ~/.ansbiel_vault_password.txt
 or
 >ansible-vault encrypt mySecret.yml , then you need to input password manually
 >less mySecret.yml
 $ANSIBLE_VAULT;1.1;AES256
 3036306133633736393035323

 the you have mySecret.yml "git add" into your repo. Safe enough, even everyone can "git clone" the repo, without your password, they wont know your little secret. :P

 in myPlayBook, if you use variable {myBankId} or {myPin} or {myJenkinsPsw}, you use need to have --vault-password-file ~/.vault_pass.tx, e.g
 >ansible-playbook  playbooks/myPlayBook.yml --vault-password-file ~/.vault_pass.txt
 or more safe way like in Jenkins:
 >export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt
 >nsible-playbook  playbooks/myPlayBook.yml 

 if you wanna change the real value of these variable, do such:
 >ansible-vault edit mySecret.yml

 To show the de-crypted file,
 >ansible-vault decrypt mySecret.yml 

 a good example , see https://gist.github.com/tristanfisher/e5a306144a637dc739e7

 #ansible-vault encrypt_string#
 This only introduced in ansible 2.3.0 and above version
 compare with old ansible-vault, it does not encrypt the whole file but only the variable 
 >ansible-vault encrypt_string "12345" -n myBankId >> mySecret_myBankId.yml

 then it creates this  mySecret_myBankId.yml
 >less mySecret_myBankId.yml
 myBankId: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32623561376263346537356433333531383935343532303764396339333165643430336262663963
          
 But the real user case is more like to use it inside of the playbook (otherwise, i do not see any andvantage of use the old way)
 do like:
 myBankId: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32623561376263346537356433333531383935343532303764396339333165643430336262663963
 instead put the real value
 myBankId: 12345
	#ansible-vault file#
	create a file in your ansible, e.g mySecret.yml
	>cat mySecret.yml
	---
	myBankId: \|
	12345
	myPin: \|
	abcd
	myJenkinsPsw: \|
	!"#¤%
	>ansible-vault encrypt mySecret.yml --vault-password-file ~/.ansbiel_vault_password.txt
	or
	>ansible-vault encrypt mySecret.yml , then you need to input password manually
	>less mySecret.yml
	$ANSIBLE_VAULT;1.1;AES256
	3036306133633736393035323

	the you have mySecret.yml "git add" into your repo. Safe enough, even everyone can "git clone" the repo, without your password, they wont know your little secret. :P

	in myPlayBook, if you use variable {myBankId} or {myPin} or {myJenkinsPsw}, you use need to have --vault-password-file ~/.vault_pass.tx, e.g
	>ansible-playbook playbooks/myPlayBook.yml --vault-password-file ~/.vault_pass.txt
	or more safe way like in Jenkins:
	>export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt
	>nsible-playbook playbooks/myPlayBook.yml

	if you wanna change the real value of these variable, do such:
	>ansible-vault edit mySecret.yml

	To show the de-crypted file,
	>ansible-vault decrypt mySecret.yml

	a good example , see https://gist.github.com/tristanfisher/e5a306144a637dc739e7

	#ansible-vault encrypt_string#
	This only introduced in ansible 2.3.0 and above version
	compare with old ansible-vault, it does not encrypt the whole file but only the variable
	>ansible-vault encrypt_string "12345" -n myBankId >> mySecret_myBankId.yml

	then it creates this mySecret_myBankId.yml
	>less mySecret_myBankId.yml
	myBankId: !vault \|
	$ANSIBLE_VAULT;1.1;AES256
	32623561376263346537356433333531383935343532303764396339333165643430336262663963

	But the real user case is more like to use it inside of the playbook (otherwise, i do not see any andvantage of use the old way)
	do like:
	myBankId: !vault \|
	$ANSIBLE_VAULT;1.1;AES256
	32623561376263346537356433333531383935343532303764396339333165643430336262663963
	instead put the real value
	myBankId: 12345
No results found