Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I ignore failures to decrypt a vaulted file?

Tags:

ansible

ansible-playbook

ansible-vault

I have two roles, one of which has a group_vars file that is vaulted, and another that is not. I would like to run the role that does not require any vaulted information, but ansible prompts me for a vault password anyway:

$ tree
├── deploy-home-secure.yml
├── deploy-home.yml
├── group_vars
│   ├── home
│   │   └── unvaulted
│   └── home-secure
│       ├── unvaulted
│       └── vaulted
├── hosts
└── roles
    ├── home
    │   └── tasks
    │       └── main.yaml
    └── home-secure
        └── tasks
            └── main.yaml

$ ansible-playbook --version
ansible-playbook 1.8.2
  configured module search path = None

$ ansible-playbook -i hosts deploy-home.yml
ERROR: A vault password must be specified to decrypt vaulttest/group_vars/home-secure/vaulted

$ ansible-playbook --vault-password-file=/dev/null -i hosts deploy-home.yml
ERROR: Decryption failed
like image 419
Shepmaster Avatar asked Dec 19 '14 15:12

Shepmaster

People also ask

How do I decrypt a vault file?

To decrypt a vault encrypted file, use the ansible-vault decrypt command. Note: Because of the increased likelihood of accidentally committing sensitive data to your project repository, the ansible-vault decrypt command is only suggested for when you wish to remove encryption from a file permanently.

How do I bypass ansible Vault password?

To enable this feature, a command line tool, ansible-vault is used to edit files, and a command line flag --ask-vault-pass or --vault-password-file is used. You can also modify your ansible. cfg file to specify the location of a password file or configure Ansible to always prompt for the password.

How do I decrypt ansible vault files?

Decrypting encrypted files If you have an encrypted file that you no longer want to keep encrypted, you can permanently decrypt it by running the ansible-vault decrypt command. This command will save the file unencrypted to the disk, so be sure you do not want to edit it instead.

1 Answers

I have something like this to solve this kind of problem (mine was not different roles, but different hosts, but I think the same principle applies):

This is the simplified file structure:

group_vars
  development_vars
  staging_vars 
vaulted_vars
  production_vars

This allows you to deploy development or staging without Ansible asking you to decrypt production_vars.

And then, the production playbook goes like this:

hosts: production
roles:
  - role...
vars_files:
  - vaulted_vars/production_vars

The vars_files line where you specify the path to the vaulted var is the key.

like image 101
Franco Mariluis Avatar answered Sep 17 '22 08:09

Franco Mariluis
Sign in to Comment

Related questions

Tailor ansible roles to environment
Can ansible fetch updated facts in middle of a playbook?
Vagrant + Ansible + Python3
Ansible :Unable to parse /etc/ansible/hosts as an inventory source
Ansible: how to clone a repository as other user
Ansible: Run task if server belongs to a group
Ansible Jinja2 string comparison
R install packages from Shell
How to install ansible on amazon aws?
Is it safe to edit /etc/sudoers with the Ansible "lineinfile" module?
ansible: promoting warnings to errors
Ansible command module can't execute arguments
using ansible set_fact module to define persistent facts?
how to use lookup('file') in ansible when the file might not exist?
how to use ansible b64encode
How to configure UFW reject policy in ansible without being disconnected?
Playbooks in a subdirectory, not next to group_vars
msg: No handler was ready to authenticate. 1 handlers were checked. ['HmacAuthV4Handler'] Check your credentials
Run ad hoc Ansible commands in Vagrant?
Why Ansible doesn't read the templates in relative path?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!