Ansible Vault — Decrypting Multiple Passwords

Introduction

  • From 2.4, you can use the old --vault-password-file option, but you can replace it with the--vault-id option instead.
  • The --vault-id option has more functions than the --vault-password-file option, but for the time being, if you specify a file with the password like the --vault-password-file option, --vault Behaves the same as the password-file option.
  • Since the --vault-id option can be used multiple times when decrypting, the playbook can be executed even if there are multiple files encrypted with different passwords.

Compare Vault

Ansible 2.3

root@vagrant:/home/vagrant# ansible-vault create --vault-password-file file_with_password.txt new_file_to_encrypt.txt
root@vagrant:/home/vagrant# ansible-vault create --vault-password-file file_with_password.txt existing_file_to_encrypt.txt
root@vagrant:/home/vagrant# echo -n'(name): (some-value)' | ansible-vault encrypt --vault-password-file file_with_password.txt --output new_file_to_encrypt.txt
Encryption successful

Ansible 2.4

  • echo -n "P@ssword_123" > vault_pass1
  • echo -n "P@ssw0rd_321" > vault_pass2
root@vagrant:/home/vagrant# echo -n'name: some-value' | ansible-vault encrypt --vault-password-file vault_pass1 --output multi_pass.yaml
Encryption successful
root@vagrant:/home/vagrant# echo -n'name: some-value' | ansible-vault encrypt --vault-id vault_pass1 --output multi_pass.yaml
Encryption successful
root@vagrant:/home/vagrant# cat multi_pass.yaml
$ANSIBLE_VAULT;1.1;AES256
30343764396266386632656531323436633130366163316462366663303664383965303235346638
6366316233363965633434366437663661366163393337610a643035313436323066326433376662
63646234393636623366653239316434653138363766376432336339346436363862343235366363
3265313435633863350a323761386163376534386533613032323636623535623262636265323361
32613530316434653333363566623235363834383965643162336131376430623235
  • ansible-vault view — vault-password-file vault_pass1 multi_pass.yaml
  • ansible-vault view — vault-id vault_pass1 multi_pass.yaml

1. Labels

root@vagrant:/home/vagrant# echo -n'name: some-value' | ansible-vault encrypt --vault-id label2@vault_pass1 --output multi_pass2.yaml
Encryption successful
root@vagrant:/home/vagrant# cat multi_pass2.yaml
$ANSIBLE_VAULT;1.2;AES256;label2
63663765356563386635306330363663316239363330623662333636636239393531383631323333
6261386561633739616234306631343934656333373931300a353836303838383336613436663664
31376230626439616433333534346463303939306531383830643666303761326561313838383662
3536396335616138610a333739393839333862663436353638636534366662623138653031636231
35666265623733636338333562393633333861363963313661636532643832333839
  • vault_id_match = True in the [defaults] section of the configuration file ansible.cfg
  • ANSIBLE_VAULT_ID_MATCH = True in the environment variable, default value is set to False

2. Decryption with multiple passwords

root@vagrant:/home/vagrant# cat hosts_inventory
multi_pass[1:3]
root@vagrant:/home/vagrant# echo -n'name: some-value' | ansible-vault encrypt --vault-id label3@vault_pass2 --output multi_pass3.yaml
Encryption successful
root@vagrant:/home/vagrant# ansible-playbook -i hosts_inventory --vault-id vault_pass1 --vault-id vault_pass2 playbook.yamlPLAY [all] *****************************************************************************************************************************************************TASK [debug] ***************************************************************************************************************************************************
ok: [multi_pass1] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [multi_pass2] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [multi_pass3] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [192.168.123.123] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
PLAY RECAP *****************************************************************************************************************************************************
192.168.123.123 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass1 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass2 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass3 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
root@vagrant:/home/vagrant# echo -n'name: some-value' | ansible-vault encrypt --vault-password-file vault_pass1 --output multi_pass2.yaml
Encryption successful

root@vagrant:/home/vagrant# echo -n'name: some-value' | ansible-vault encrypt --vault-password-file vault_pass2 --output multi_pass3.yaml
Encryption successful
  • multi_pass.yaml is unlabeled
  • multi_pass2.yaml is labeled with label2
  • multi_pass3.yml is labeled with label3
root@vagrant:/home/vagrant# ansible-playbook -i hosts_inventory --vault-id vault_pass1 --vault-id label2@vault_pass1 --vault-id label3@vault_pass2 playbook.yaml
PLAY [all] *****************************************************************************************************************************************************
TASK [debug] ***************************************************************************************************************************************************
ok: [multi_pass1] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [multi_pass2] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [multi_pass3] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [192.168.123.123] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
PLAY RECAP *****************************************************************************************************************************************************
192.168.123.123 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass1 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass2 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass3 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
root@vagrant:/home/vagrant# ansible-playbook -i hosts_inventory --vault-password-file vault_pass1 --vault-id label2@vault_pass1 --vault-id label3@vault_pass2 playbook.yamlPLAY [all] *****************************************************************************************************************************************************TASK [debug] ***************************************************************************************************************************************************
ok: [multi_pass1] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [multi_pass2] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [multi_pass3] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [192.168.123.123] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
PLAY RECAP *****************************************************************************************************************************************************
192.168.123.123 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass1 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass2 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass3 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

3. ask-vault-pass

root@vagrant:/home/vagrant# ansible-playbook -i hosts_inventory --vault-password-file vault_pass1 --vault-id label2@vault_pass1 --vault-id label2@prompt playbook.yaml
Vault password (label2):
PLAY [all] *****************************************************************************************************************************************************TASK [debug] ***************************************************************************************************************************************************
ok: [multi_pass1] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [multi_pass2] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [multi_pass3] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
ok: [192.168.123.123] => {
"example_key": "VARIABLE IS NOT DEFINED!"
}
PLAY RECAP *****************************************************************************************************************************************************
192.168.123.123 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass1 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass2 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
multi_pass3 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Maciej

DevOps Consultant. I’m strongly focused on automation, security, and reliability.