Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to automate ansible vault decryption?

I want to automate the decryption of ansible vault and not to have to specify the vault location or password from the command line.

Mainly, I am looking for a solution what would work in a way that similar to how ~/.netrc works. When you put credentials there the tools (like curl, wget,...) will know to load them.

If you don't it the execution will have.

That's quite important because I need to be able to automate the execution of these ansible playbooks, so prompt for password is clearly not an option.

Also, I do not want to have to add --vault-password-file parameter to each playbook. Any ideas?

like image 890
sorin Avatar asked Feb 17 '16 16:02

sorin


People also ask

How do I decrypt with ansible vault?

If you have an encrypted file that you no longer want to keep encrypted, you can permanently decrypt it by running the ansible-vault decrypt command. This command will save the file unencrypted to the disk, so be sure you do not want to edit it instead.

Which algorithm is used in ansible vault?

The $ANSIBLE_VAULT;1.1;AES256 header at the top of the file indicates that the file is encrypted with Ansible Vault using the AES256 cipher. The Advanced Encryption Standard(AES) is a symmetric-key algorithm that uses the same key to encrypt and decrypt data.

How do you bypass the vault password in ansible-playbook?

Running a Playbook With VaultThe password should be a string stored as a single line in the file. You can also set ANSIBLE_VAULT_PASSWORD_FILE environment variable, e.g. ANSIBLE_VAULT_PASSWORD_FILE=~/. vault_pass. txt and Ansible will automatically search for the password in that file.

How do I pass ansible Vault password command line?

To enable this feature, a command line tool - ansible-vault - is used to edit files, and a command line flag ( --ask-vault-pass , --vault-password-file or --vault-id ) is used. Alternately, you may specify the location of a password file or command Ansible to always prompt for the password in your ansible.


1 Answers

Much like the inventory, if vault-password-file has the executable bit set, Ansible will run it and use stdout as the password.

That allows you to write a script that wraps the password in PGP encryption, sits in a limited-access S3 bucket, uses AWS KMS, or whatever strikes your fancy.

like image 105
tedder42 Avatar answered Sep 21 '22 04:09

tedder42