Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Ansible: How to encrypt some variables in an inventory file in a separate vault file?

Tags:

encryption

ansible

ansible-playbook

ansible-vault

The settings

Consider an Ansible inventory file similar to the following example:

[san_diego] host1 host2  [san_francisco] host3 host4  [west_coast] san_diego san_francisco  [west_coast:vars] db_server=foo.example.com db_host=5432 db_password=top secret password

The problem

I would like to store some of the vars (like db_password) in an Ansible vault, but not the entire file.

How can a vault-encrypted ansible file be imported into an unencrypted inventory file?

What I've tried

I have created an encrypted vars file and tried importing it with:

include: secrets

To which ansible-playbook responded with:

ERROR: variables assigned to group must be in key=value form

Probably because it tried to parse the include statement as a variable.

like image 426
Adam Matan Avatar asked May 13 '15 08:05

Adam Matan

People also ask

How do I encrypt variables in ansible vault?

Creating encrypted variables To create a basic encrypted variable, pass three options to the ansible-vault encrypt_string command: a source for the vault password (prompt, file, or script, with or without a vault ID) the string to encrypt. the string name (the name of the variable)

What can be encrypted with vault in ansible?

Ansible Vault can encrypt any structured data file used by Ansible. This can include “group_vars/” or “host_vars/” inventory variables, variables loaded by “include_vars” or “vars_files”, or variable files passed on the ansible-playbook command line with -e @file. yml or -e @file.

How do I encrypt an ansible file?

To create a new file encrypted with Vault, use the ansible-vault create command. Pass in the name of the file you wish to create. For example, to create an encrypted YAML file called vault.

How do you pass an encrypted password in ansible?

You can use the ansible-vault encrypt_string command for this. You'll be prompted to insert and then confirm the vault password. You can then start inserting the string value that you wish to encrypt. Press ctrl-d to end input.

1 Answers

Since Ansible 2.3 you can encrypt a Single Encrypted Variable. IMO, a walkthrough is needed as the doco's seem pretty terse.

Given an example of: mysql_password: password123 (within main.yml)

Run a command such as:

ansible-vault encrypt_string password123 --ask-vault-pass

This will produce:

    !vault | $ANSIBLE_VAULT;1.1;AES256 66386439653236336462626566653063336164663966303231363934653561363964363833 3136626431626536303530376336343832656537303632313433360a626438346336353331 Encryption successful

paste this into your main.yml:

mysql_password: !vault |     $ANSIBLE_VAULT;1.1;AES256     66386439653236336462626566653063336164663966303231363934653561363964363833     3136626431626536303530376336343832656537303632313433360a626438346336353331

run playbook:

Ie, ansible-playbook -i hosts main.yml --ask-vault-pass

Verify via debug:

- debug:     msg: "mysql Pwd: {{ mysql_password }}"
like image 58
wired00 Avatar answered Oct 08 '22 21:10

wired00
Sign in to Comment

Related questions

Given a private key, is it possible to derive its public key?
How do I encrypt and decrypt a string in python?
When compressing and encrypting, should I compress first, or encrypt first? [closed]
What is the easiest way to encrypt a password when I save it to the registry?
Best Practices for Passing Data Between Pages
Storing encryption keys -- best practices?
Encrypting/Hashing plain text passwords in database
How do I use MS-XCEP and MS-WSTEP in .NET or JavaScript to get a certificate from AD CS?
RSA Encryption, getting bad length
Security & Authentication: SSL vs SASL
Example of AES using Crypto++ [closed]
what is the difference between various keys in public key encryption
Does has_secure_password use any form of salting?
How to Generate Unique Public and Private Key via RSA
Using SHA1 and RSA with java.security.Signature vs. MessageDigest and Cipher
Microsoft Crypto API Disable Use of RSAES-OAEP Key Transport Algorithm
How does the RSA private key passphrase work under the hood?
How does a cryptographically secure random number generator work?
Best way to store encryption keys in .NET C#
Size of data after AES/CBC and AES/ECB encryption

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!