I have a aws ec2 inventory file that I want yo deploy my codes to the e2 instances. I am using:
anible-playbook -i ec2_inventory -u ec2-user --private-key=my_ec2_key.pem
and it works.
What I want is to use ansible-vault to encrypt the private key file: my_ec2_key.pem, and I will keep the vault password in a text file.
How can I issue the ansible-playbook command now to use the vault password to decrypt the private key file for ec2-user?
Unfortunately, ansible-vault will not automatically decrypt the private key that it's using to connect to instances. You could potentially hack around this by using a local task to write it into a keyfile from a variable file (which would write it decrypted) and place the file somewhere which is then referenced in downstream tasks. The reason ansible doesn't do this is because vault typically only decrypts the variables in-memory to prevent hanging decrypted artifacts if the playbook fails.
If you're using a CI box or something to run ansible, you could potentially place the private key on the CI box, and thus prevent the need to decrypt it at run-time. Then store the private key permanently encrypted in source.
Related
When I run an Ansible playbook, how do I pass multiple password files on the command line?
I want to run this:
ansible-playbook --vault-password-file /path/to/vault-password-file my_playbook.yml
but I want to pass multiple password files, because I use multiple variables in the playbook that use different passwords that are stored in different password files.
How do I do that?
(I'm using Ansible 2.9.16, but can upgrade to 2.10.x if that helps, I'm not bound to any specific version)
You can leverage the vault-ids concept(Introduced in Ansible v2.4) to fix your problem.
Sample command below,
ansible-playbook --vault-id dev#dev-password --vault-id prod#prompt site.yml
dev -> Is the vault ID
dev-password -> Points to the password to be used
prod -> Another vault ID
prompt -> Prompts for the password
Ansible Docs for complete workflow and setup: https://docs.ansible.com/ansible/2.6/user_guide/vault.html#vault-ids-and-multiple-vault-passwords
Vault IDs setup with existing password files
Ansible config file setup
vault_identity_list = vaultid1#~/path_to_pass1_file/.pass1 , vaultid2#~/path_to_pass2_file/.pass2
Encrypt the file using the respective vaultid
ansible-vault encrypt --encrypt-vault-id vaultid1 file_to_be_encrypted_1
ansible-vault encrypt --encrypt-vault-id vaultid2 file_to_be_encrypted_2
Run your playbook and it will automatically pick the configuration from the ansible.cfg and decrypt the contents.
I have to protect the key file of the server. Path of the key file is present in AWX Inventory file, as you can see below. I used ansible-vault to protect the "/var/lib/awx/resource/keys/stg01/test.pem" file. How can i load that password in my AWX inventory file. How to encrypt the key file and pass that file to ansible tower,it needs to decrypted when using that key file.
---
ansible_ssh_host: 10.3.2.10
ansible_ssh_private_key_file: /var/lib/awx/resource/keys/stg01/test.pem
ansible_user: centos
With ansible-vault, you need to have a file with the master password of ansible-vault or to set the password in command line everytime you use it.
If you don't want to have that to do, you can look vault server and use it with ansible:
https://www.vaultproject.io/
I have the ability to encrypt variables using another mechanism(Azure pipeline secret feature), so I would like to save an ansible-vault password there(in Azure pipeline) and pass it to playbook execution as an extra var.
May I know if it can be done so?
An example of what/how I'm expecting is
ansible-playbook --extra-vars "vault-password=${pipelinevariable}"
Vault password cannot be passed as an extra var. There are several ways to provide it which are all covered in the documentation:
Providing vault password section in the general vault documentation.
Using vault in playbooks
Very basically your options are:
providing it interactively passing the --ask-vault-pass option
reading it from a file (static or executable) by either:
providing the --vault-password-file /path/to/vault option on the command line
setting the ANSIBLE_VAULT_PASSWORD_FILE environment variable (e.g. export ANSIBLE_VAULT_PASSWORD_FILE=/path/to/vault).
There is much more to learn in the above doc, especially how to use several vault passwords with ids, how to use a client script to retrieve the password from a key store...
Although this doesn't use extra vars, I believe it fulfills what you were trying to do:
Optional/one-time only: ask for the password and set it as an environment variable:
read -s ansible_vault_pass && export ansible_vault_pass
Now use that variable in your ansible command:
ansible-playbook your-playbook.yml --vault-password-file <(cat <<<"$ansible_vault_pass")
Credits for, and explanation of the <(cat <<<"") technique are in this other StackOverflow answer: Forcing cURL to get a password from the environment.
May I know if it can be done so?
Not familiar with Ansible Vault, but you have at least two directions based on the documents shared by Zeitounator.
1.Use a CMD task first to create a vault-password-file with plain-text content. (Not sure if the vault-password-file can be created in this way, it might not work.)
(echo $(SecretVariableName)>xxx.txt)
Then you may use the newly created xxx.txt file as input of ansible-playbook --vault-password-file /path/to/my/xxx.txt xxx.yml.
2.Create a corresponding vault-password-file before running the pipeline, add it to version control. (Same source repo of your current pipeline)
Then you can use ansible-playbook --vault-password-file easily when the vault-password-file is available. Also you can store the password file in private github repo, fetch the repo via git clone https://{userName}:{userPassword}#github.com/xxx/{RepoName}.git, copy the needed password file to the directory where you run the ansible-playbook commands via Copy Files task. This direction should work no matter if direction 1 is supported.
Can I create a ansible-vault file from within ansible? I am creating a deployment package for another server (to be run locally) from ansible and I want to encrypt sensitive data (the key itself is transferred over a different channel).
Does ansible-vault have a non-interactive mode to create a vault file? Or is there some ansible intrinsic way?
You can use the --vault-password-file option of ansible-vault for non-interactive vault file creation. The file passed in can be a text file containing the vault password, or it can be an executable script that retrieves and outputs the vault password.
You would call it like this:
ansible-vault --vault-password-file=vaultpass.txt encrypt sensitive_data.txt
If you would like to create the file on the fly, rather than copying over or encrypting an existing file, you can omit the filename from this command and pipe the data to STDIN:
echo "sensitive data" | ansible-vault --vault-password-file=vaultpass.txt encrypt --output outfile.txt
Currently Filezilla is being used to copy from remote sever. there is require manual operation requires to copy and complete other further task after copying file. SO i need to write shell script to copy and do further task. But i facing to login server using private/public key. I have one key file which is containing following content:
puTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: imported-openssh-key
Public-Lines: 6
--<Public_key>
Private-Lines: 14
---<Private_key>--
Private-MAC: --<some text>--
Filiezilla is successfully connecting and working properly using key .
I have already spent many hours for googling, But could not get proper solution.
Please suggest me how do i login without password using that given key and copy file using shell script
You need to put the private key in a file by itself on the client machine, and then:
ssh -i /path/to/ssh/key USER#HOSTNAME
Here's a tutorial: https://support.rackspace.com/how-to/logging-in-with-an-ssh-private-key-on-linuxmac/
Finally I got the solution of my own question after doing research and visiting many website. PPK file contains:
puTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: imported-openssh-key
Public-Lines: 6
--<Public_key>
Private-Lines: 14
---<Private_key>--
Private-MAC: --<some text>--
Actually we need to generate our own private key either with pass-phrase or without pass-phrase. Then we can login server using own private key.
Steps to generate private key in this url
https://kb.paessler.com/en/topic/32883-how-can-i-use-private-keys-for-my-ssh-sensors-with-prtg
After generating private key, we can do ssh login or stp using :
sftp -oIdentityFile=<generated_private_key> <user>#<ftp_server>:<remote_directory>
ssh -i <generated_private_key> <user>#<ftp_server>
we can use importance stp_command for automation task:
http://www.csee.umbc.edu/courses/104/fall05/ordonez/sftp_cmds.shtml
Now i can write shell script after login and listing file on Remote FTP server. if anything confusion. pls comment.