Can I create a ansible-vault file from within ansible? I am creating a deployment package for another server (to be run locally) from ansible and I want to encrypt sensitive data (the key itself is transferred over a different channel).
Does ansible-vault have a non-interactive mode to create a vault file? Or is there some ansible intrinsic way?
You can use the --vault-password-file option of ansible-vault for non-interactive vault file creation. The file passed in can be a text file containing the vault password, or it can be an executable script that retrieves and outputs the vault password.
You would call it like this:
ansible-vault --vault-password-file=vaultpass.txt encrypt sensitive_data.txt
If you would like to create the file on the fly, rather than copying over or encrypting an existing file, you can omit the filename from this command and pipe the data to STDIN:
echo "sensitive data" | ansible-vault --vault-password-file=vaultpass.txt encrypt --output outfile.txt
Related
I would like to do something like
ansible-playbook myPlaybook.yml -i myHostFile
instead of
ansible-playbook myPlaybook.yml -i myHostFile --ask-vault-pass
Your requirement is not clear. Following my comments, this answer is a specific example of how to secure your vault passwords inside your gnome linux session keyring using the vault-keyring-client.py script provided by ansible community contribs (hoping it will give you some ideas of how to fix the problem in your specific case).
Make sure you have the required dependencies to run the script
pip install keyring
Install the contrib script somewhere in your path (the given path is just an example, use one suited to your situation)
cd $HOME/bin
curl -o vault-keyring-client https://raw.githubusercontent.com/ansible-community/contrib-scripts/main/vault/vault-keyring-client.py
chmod 0700 vault-keyring-client
Create your vault id passwords in your session keystore using the script. The password is asked interactively and stored. You can see them browsing the login keyring after launching seahorse (i.e. "Passwords and keys").
vault-keyring-client --set --vault-id yourid1
vault-keyring-client --set --vault-id yourid2
Configure ansible to use that script for those ids. If an encrypted content is found without an id, they will be tried in order. You probably want to define a default id to encrypt the content. Add the following lines to your .bashrc (or whatever shell you use...)
export ANSIBLE_VAULT_IDENTITY_LIST=yourid1#$HOME/bin/vault-keyring-client,yourid2#$HOME/bin/vault-keyring-client
export ANSIBLE_VAULT_ENCRYPT_IDENTITY=yourid1
Encrypt some content
# using the default encrypt vault-id
ansible-vault encrypt somefile
ansible-vault encrypt_string "somestring"
# using an other vault-id than default
ansible-vault encrypt --encrypt-vault-id yourid2 somefile
ansible-vault encrypt_string --encrypt-vault-id yourid2 "somestring"
You can now use any playbook or adhoc command in need of a configured vault password from your openned session without having to provide it interactively
ansible-playbook -i your_inventory your_playbook
ansible-playbook -i your inventory somehost -m debug -a "msg={{ some_encrypted_var }}"
When I run an Ansible playbook, how do I pass multiple password files on the command line?
I want to run this:
ansible-playbook --vault-password-file /path/to/vault-password-file my_playbook.yml
but I want to pass multiple password files, because I use multiple variables in the playbook that use different passwords that are stored in different password files.
How do I do that?
(I'm using Ansible 2.9.16, but can upgrade to 2.10.x if that helps, I'm not bound to any specific version)
You can leverage the vault-ids concept(Introduced in Ansible v2.4) to fix your problem.
Sample command below,
ansible-playbook --vault-id dev#dev-password --vault-id prod#prompt site.yml
dev -> Is the vault ID
dev-password -> Points to the password to be used
prod -> Another vault ID
prompt -> Prompts for the password
Ansible Docs for complete workflow and setup: https://docs.ansible.com/ansible/2.6/user_guide/vault.html#vault-ids-and-multiple-vault-passwords
Vault IDs setup with existing password files
Ansible config file setup
vault_identity_list = vaultid1#~/path_to_pass1_file/.pass1 , vaultid2#~/path_to_pass2_file/.pass2
Encrypt the file using the respective vaultid
ansible-vault encrypt --encrypt-vault-id vaultid1 file_to_be_encrypted_1
ansible-vault encrypt --encrypt-vault-id vaultid2 file_to_be_encrypted_2
Run your playbook and it will automatically pick the configuration from the ansible.cfg and decrypt the contents.
I have to protect the key file of the server. Path of the key file is present in AWX Inventory file, as you can see below. I used ansible-vault to protect the "/var/lib/awx/resource/keys/stg01/test.pem" file. How can i load that password in my AWX inventory file. How to encrypt the key file and pass that file to ansible tower,it needs to decrypted when using that key file.
---
ansible_ssh_host: 10.3.2.10
ansible_ssh_private_key_file: /var/lib/awx/resource/keys/stg01/test.pem
ansible_user: centos
With ansible-vault, you need to have a file with the master password of ansible-vault or to set the password in command line everytime you use it.
If you don't want to have that to do, you can look vault server and use it with ansible:
https://www.vaultproject.io/
I have a aws ec2 inventory file that I want yo deploy my codes to the e2 instances. I am using:
anible-playbook -i ec2_inventory -u ec2-user --private-key=my_ec2_key.pem
and it works.
What I want is to use ansible-vault to encrypt the private key file: my_ec2_key.pem, and I will keep the vault password in a text file.
How can I issue the ansible-playbook command now to use the vault password to decrypt the private key file for ec2-user?
Unfortunately, ansible-vault will not automatically decrypt the private key that it's using to connect to instances. You could potentially hack around this by using a local task to write it into a keyfile from a variable file (which would write it decrypted) and place the file somewhere which is then referenced in downstream tasks. The reason ansible doesn't do this is because vault typically only decrypts the variables in-memory to prevent hanging decrypted artifacts if the playbook fails.
If you're using a CI box or something to run ansible, you could potentially place the private key on the CI box, and thus prevent the need to decrypt it at run-time. Then store the private key permanently encrypted in source.
I really love using ansible-vault on the command-line to encrypt/decrypt files easily. For example if I have a plaintext file called ~/fizzbuzz.foo with the following contents:
bupo
I can use this tool like so:
ansible-vault encrypt ~/fizzbuzz.foo
New Vault password: 123
Confirm New Vault password: 123
Boom -- encrypted! When I vi ~/fizzbuzz.foo now:
$ANSIBLE_VAULT;1.1;AES256
36663138613666623730653164333138343133383233313562363733346461663334393932393461
6535316532366130316237633633663565663366323162660a666630613738363035343663353132
33383530653235393431633231313765656135626538353163323366363039633836613265383332
3762666261326466370a643164393166346634343636346634383039356665646531353062303765
3734
I'd like to use this in a bash script where I pass the encryption/decryption password in as a script argument:
#!/bin/bash
# do some stuff
ansible-vault -i "bar" encrypt ~/fizzbuzz.foo
# do some more stuff
However I don't see anything like an interactive (e.g. -i) argument/mode for ansible-vault. The best I could find was a way of using an env file for storing passwords for the ansible-playbook utility but I played around with ansible-vault and couldn't find a similar behavior for it.
Any ideas?
you need to create the vault password file first, here is how:
openssl rand -base64 512 |xargs > vaultkeyfile
i am creating the vault file at local directory, but probably you want to place it to another one, like ~/.ansible_vault/ for example.
then to create/encrypt/decrypt the file, you use:
for new file:
ansible-vault create testfile.txt --vault-password-file=vaultkeyfile
for encrypting existing file:
ansible-vault encrypt testfile.txt --vault-password-file=vaultkeyfile
for decrypting:
ansible-vault decrypt testfile.txt --vault-password-file=vaultkeyfile
when executing the above, you will notice it doesn't ask for password.