How do I query just the value of a secret key from consul template ? From vault cli I would do
vault read -field=value secret/somekey
and it works fine. However, in the consul-template
{{secret "secret/somekey"}}
returns something like
{ 2592000 false map[value:11122222001040]
I can see it's outputting lease_duration etc along with the value. How do I get just the value in consul-template ?
In your template you will need to use:
{{with secret "secret/somekey"}}{{.Data.value}}{{end}}
In your config file you will also need a section for vault:
vault {
address = "https://vault.service.consul:8200"
token = "abcd1234"
}
or you could use the VAULT_TOKEN environment variable.
Related
I'm using ansible-vault 2.10.5. According to the encrypt_string documentation, I can use --output to save the encrypted result. The doc says:
--output <OUTPUT_FILE>
output file name for encrypt or decrypt; use - for stdout
But I tried several commands and the result seemed to always be printed to the console. For example:
ansible-vault encrypt_string --vault-id test#prompt --name my_var --output encrypted.txt my_value
I got the following output printed on the console:
New vault password (test):
Confirm new vault password (test):
my_var: !vault |
$ANSIBLE_VAULT;1.2;AES256;test
66343062376436373531313033623237393231663930383936306662393164653733636161653630
6636653035306339363065623438353338646533656639620a376365376136343232376561666266
62313936343766343333333065363634663961643234323734613135383763656536656437393431
3238306436313437320a663131653164366133356530663732633334366136306636663766353331
6635
Encryption successful
So what is the correct way of using --output option to save the encrypted content to a local file?
I'd rather put the target content to be encrypted in a file and use ansible-vault encrypt secretfile and it will enctypt the file in place.
What mechanism does Ansible Vault use to detect wrong vault passwords? In other word, if a user inputs wrong vault password then Ansible shows error message below. How?
Decryption failed (no vault secrets were found that could decrypt)
Is there any section in Vault Payload that Ansible uses to detect wrong passwords?
The code for ansible-vault with the relevant section can be found here: https://github.com/ansible/ansible/blob/devel/lib/ansible/parsing/vault/init.py#L736
Summarised, it uses the specified password and vault ID to decrypt the file. So it will look for the vault ID in the vault file and will then try to decrypt the password. The crytpo part will only return a byte string when the decryption was successful and the expected format (PKCS7) is returned:
So first, the content of the vault is parsed (hex format is converted to actual bytes):
b_ciphertext, b_salt, b_crypted_hmac = parse_vaulttext(b_vaulttext)
Then, the relevant keys are generated from the salt and the password:
b_password = secret.bytes
b_key1, b_key2, b_iv = cls._gen_key_initctr(b_password, b_salt)
As you note correctly, the first thing that the _decrypt_cryptography function does is to check if the HMAC is correct, using one of the keys derived from the password above:
hmac = HMAC(b_key2, hashes.SHA256(), CRYPTOGRAPHY_BACKEND)
hmac.update(b_ciphertext)
try:
hmac.verify(_unhexlify(b_crypted_hmac))
except InvalidSignature as e:
raise AnsibleVaultError('HMAC verification failed: %s' % e)
Then, the actual decryption happens:
cipher = C_Cipher(algorithms.AES(b_key1), modes.CTR(b_iv), CRYPTOGRAPHY_BACKEND)
decryptor = cipher.decryptor()
unpadder = padding.PKCS7(128).unpadder()
b_plaintext = unpadder.update(
decryptor.update(b_ciphertext) + decryptor.finalize()
) + unpadder.finalize()
The b_plaintext is then returned.
So when you use the wrong password, the crypto function will return non-PKCS7 data and this then leads to the message above.
Need to launch ad-hook commands like "-m ping" on existing ec2 instances, but it requred key-pair.
How to set key-pair for boto, like "aws_access_key_id" stored in ~/.aws/credentials ?
Also, have a problem invertory:
i got "invertory" folder near Ansible, where stored both local hosts and aws_ec2.yml file. But ansible-invertory --list works only for aws_ec2.yml file...
You can declare appropriate credentials and other host-sensitive variable right in the inventory file.
I.e.:
[ec2fleet]
35.... ansible_ssh_user=ec2-user
15.... ansible_ssh_user=ubuntu
[ec2fleet:vars]
ansible_user=deployer
ansible_ssh_private_key_file=/home/deployer/.ssh/deployer.pem
I was using the secrets/master.key that was there when the password was encrypted and stored to credentials.xml. But restoring the the same set of credentials.xml and master.key is not working in a new jenkins setup. I even tried to restore secret.key but that too is not working.
I also noticed the ecrypted string in is credentials.xml is also not same for same string.
I am trying to automate the jenkins setup. Is there a way I can get the encrypted password that the jenkins produce from bash?
Jenkins and its plugins usually encrypt strings using the Secret class, which (AFAICT) stores the key under ${JENKINS_HOME}/secrets/hudson.util.Secret.
I don't know of any easy standalone solution, but you can use the Jenkins Script Console (or the groovy CLI command) to attempt to decrypt secret values that you have:
import hudson.util.Secret
Secret a = Secret.fromString('my secret value')
String ciphertext = a.getEncryptedValue()
println ciphertext
// '{AQAAABAAAAAQdIQUuG2AhKoV7mCIcd3PXBdw8ItgchIrvQrQ=}'
// or similar; will change with each new secret object
Secret b = Secret.decrypt(ciphertext)
String plaintext = b.getPlainText()
println plaintext
// 'my secret value'
host=http://$JENKINS_USERNAME:$JENKINS_PASSWORD#localhost:8080
CRUMB=$(curl -s "$host"'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
encrypted_passphrase=$(curl -H "$CRUMB" -d "script=println(hudson.util.Secret.fromString('password').getEncryptedValue())" -X POST $host/scriptText)
I am new to Ansible. I am able to test it and its working fine with my test requirment. For making connection between management node and the client node I am using already created ssh key pair. How can I use another node with different SSH key pair? For reference I am considering 3 ec2-instance with different key pairs.
Good news- in a basic use case, this is fairly easy. Simply use the ansible_ssh_private_key_file parameter in your Ansible inventory.
Here are some examples purloined from my personal file:
$ cat hosts.ini
[server1]
54.1.2.3 ansible_ssh_private_key_file=~/.ssh/server1.pem
[testservers]
ec2-54-2-3-4.compute-1.amazonaws.com ansible_ssh_private_key_file=~/.ssh/aws-testserver.pem ansible_ssh_user=ubuntu
ec2-54-2-3-5.compute-1.amazonaws.com ansible_ssh_private_key_file=~/.ssh/aws-testserver.pem ansible_ssh_user=ubuntu
[piwall]
10.0.0.88 ansible_ssh_private_key_file=~/.ssh/raspberrypi.pem ansible_ssh_user=pi
tedder42 is correct, however, there is a better way of doing it.
See ansible_ssh_private_key_file here.
I have in my host files the following
# SSH Keys configuration
[all_servers:vars]
ansible_ssh_private_key_file = <YOUR PRIVATE KEY LOCATION>
# Server configuration
[all_servers:children]
elastic_servers
nginx_servers
[elastic_servers]
44.22.11.22
44.55.66.77
22.11.22.33
[nginx_servers]
22.24.123.123
233.111.222.11
If you have multiple keys configuration, you can do something like the following
[nginx:vars]
ansible_ssh_private_key_file = <YOUR PRIVATE KEY LOCATION>
[app:vars]
ansible_ssh_private_key_file = <YOUR 2nd PRIVATE KEY LOCATION>
[nginx:children]
nginx_servers
[app:children]
app_servers
[nginx_servers]
1.2.3.4
[app_servers]
5.5.5.5
6.6.6.6
That's way cleaner than tedder42 answer. This is useful if you have multiple keys for multiple servers.
Otherwise, you can include your key in ansible.cfg file instead.