Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Deployment with Ansible from Gitlab CI, dealing with passwords

Tags:

ansible

gitlab-ci

I'm trying to achieve an "password-free" deployment workflow using Gitlab CI and Ansible. Some steps do require a password (I'm already using SSH Keys whenever I can) so I've stored those password inside an Ansible Vault. Next, I would just need to provide the Vault password when running the playbook.

But how could I integrate this nicely with Gitlab CI?

May I register a gitlab-ci job (or jobs are suitable for builds only?), which just runs the playbook providing the vault password somehow?! Can this be achieved without a password laying around in plain text?!

Also, I would be really happy if someone can point me some material that shows how we can deploy builds using Ansible. As you can notice, I've definitively found nothing about that.

like image 935
kbtz Avatar asked Sep 15 '15 14:09

kbtz

People also ask

How do you pass an encrypted password in Ansible?

You can use the ansible-vault encrypt_string command for this. You'll be prompted to insert and then confirm the vault password. You can then start inserting the string value that you wish to encrypt. Press ctrl-d to end input.

How do I use Ansible passwords?

To enable this feature, a command line tool, ansible-vault is used to edit files, and a command line flag --ask-vault-pass or --vault-password-file is used. You can also modify your ansible. cfg file to specify the location of a password file or configure Ansible to always prompt for the password.

How do I store passwords in Ansible vault?

You can store your vault passwords on the system keyring, in a database, or in a secret manager and retrieve them from within Ansible using a vault password client script. Enter the password as a string on a single line. If your password has a vault ID, store it in a way that works with your password storage tool.

1 Answers

You can set an environment variable in the GitLab CI which would hold the Ansible Vault password. In my example i called it $ANSIBLE_VAULT_PASSWORD

Here is the example for .gitlab-ci.yml:

deploy:
  only:
    - master
  script:
    - echo $ANSIBLE_VAULT_PASSWORD > .vault_password.txt
    - ansible-playbook -i ansible/staging.yml --vault-password-file .vault_password.txt

Hope this trick helps you out.

like image 134
Laurynas Mališauskas Avatar answered Sep 22 '22 05:09

Laurynas Mališauskas
Sign in to Comment

Related questions

Can I override Ansible SSH key inventory variable ansible_ssh_private_key_file on command line?
Getting a directory of a tasks file for relative paths
ansible-playbook -> ControlPath too long
Recover ansible-vault password in case password is forgotten
Ansible - Automation remote or local?
Ansible vars_prompt for roles
Argument group is of type 'dict' and we were unable to convert to list
In ansible, how to synchronize 2 folders on the same remote machine?
Ansible: Perform a failed_when: on an async task based on a value from stdout
In Ansible, how can I combine a default dictionary in a role with a dictionary passed to that role as an argument?
docker daemon start using ansible
What's the difference between roles and tasks (and tags) in Ansible?
Ansible: How to use inventory variables in ad-hoc commands
How can I run commands in sudo mode with ansible playbook?
Ansible variables wildcard selection
How to decode a Base64 var to a binary file with Ansible module
How to install ansible 2.9+ on ubuntu 18.04 and utilize python3?
SSH Fails Due to Key File Permissions When I Try to Provision a Vagrant VM with Ansible on Windows/Cygwin
Ansible: Trying to create multiple EC2 instances in multiple regions in one shot
execute ssh-add with ansible raise an error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!