Introduction
I’ve written an article that says “Create a user with an encrypted password.”
I didn’t use ansible-vault because I wanted to encrypt one variable instead of the whole file. I didn’t want to display the password when creating the user in plain text anyway, so I used the password encrypted with python as it was pasted in the playbook. I think, it was good at the time because it went well, but the items I want to encrypt increase more and more. The scenes that can be supported with python encryption are limited to the above cases. How can you encrypt only one item of variable since the version has been improved? If you search there were.
Check ansible-vault help
It’s cumbersome to check the help by hitting the command one by one, so I put it in the article.
If you want to check the text of the article immediately, ask them to skip it.
ansible-vault -h
ansible-vault -h
Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]
encryption/decryption utility for Ansible data files
Options:
--ask-vault-pass ask for vault password
-h, --help show this help message and exit
--new-vault-id=NEW_VAULT_ID
the new vault identity to use for rekey
--new-vault-password-file=NEW_VAULT_PASSWORD_FILE
new vault password file for rekey
--vault-id=VAULT_IDS the vault identity to use
--vault-password-file=VAULT_PASSWORD_FILES
vault password file
-v, --verbose verbose mode (-vvv for more, -vvvv to enable
connection debugging)
--version show program's version number and exit
See 'ansible-vault <command> --help' for more information on a specific
command.ansible-vault encrypt_string — help
ansible-vault encrypt_string --help
Usage: ansible-vault encrypt_string [--prompt] [options] string_to_encrypt
encryption/decryption utility for Ansible data files
Options:
--ask-vault-pass ask for vault password
--encrypt-vault-id=ENCRYPT_VAULT_ID
the vault id used to encrypt (required if more than
vault-id is provided)
-h, --help show this help message and exit
-n ENCRYPT_STRING_NAMES, --name=ENCRYPT_STRING_NAMES
Specify the variable name
--new-vault-id=NEW_VAULT_ID
the new vault identity to use for rekey
--new-vault-password-file=NEW_VAULT_PASSWORD_FILE
new vault password file for rekey
--output=OUTPUT_FILE output file name for encrypt or decrypt; use - for
stdout
-p, --prompt Prompt for the string to encrypt
--stdin-name=ENCRYPT_STRING_STDIN_NAME
Specify the variable name for stdin
--vault-id=VAULT_IDS the vault identity to use
--vault-password-file=VAULT_PASSWORD_FILES
vault password file
-v, --verbose verbose mode (-vvv for more, -vvvv to enable
connection debugging)
--version show program's version number and exit
See 'ansible-vault <command> --help' for more information on a specific
command.There are options such as — new-vault-id and — new-vault-password-file.
Starting with ansible 2.4+, you can use — vault-id to create multiple vault-ids and vault-passwrods. You will see later what this is.
Encrypt only one variable.
If ansible-vault password is not specified, the following error will occur.
TASK [Gathering Facts] ***********************************************************************************************************************************************
fatal: [redmine]: FAILED! => {"msg": "Attempting to decrypt but no vault secrets found"}
to retry, use: --limit @/Users/devtopia/.ansible/retry-files/redmine.retrySince it passes if you specify a password, prepare a password file first.
# Save the decryption password somewhere other than the git repository.
echo 'PASSWORD' > ~ / .vault_passHere, ansible_password variable is encrypted. Previously, it was saved in the hosts.ini file and used as a .gitignore. Move ansible_user and ansible_password from hosts.ini to groups_var / all.yml.
# Encrypt variable ansible_password.
echo -n 'PASSWORD' | ansible-vault encrypt_string --vault-id dev@~/.vault_pass --stdin-name 'ansible_password'Reading plaintext input from stdin. (ctrl-d to end input)
ansible_password: !vault |
$ANSIBLE_VAULT;1.2;AES256;dev
38653564306332366561363062643632663834656465366430306139376163386535303539303034
3335393633333538656534343631336238653063626135320a303834396534366235333030373464
62336538663566653765646331666130323061373262646166613834343939323938333666303162
3164303437306662630a646534643661323065373339363166366633363337396330323563656533
3635
Encryption successful
- Enter your actual password at ‘PASSWORD’.
- encrypt_string is a subcommand for encrypting only one item.
- — vault-id “label name @ password file path”
- — stdin-name is the variable name you want to encrypt (here ansible_password).
When encrypted with ansible-vault, you must specify an optional password file when executing ansible or ansible-playbook commands . I talked at the beginning, but I got an error.
ansible-playbook dev.yml --vault-password-file ~/.vault_pass# ansible 2.4+
ansible-playbook dev.yml --vault-id ~/.vault_pass
It is troublesome to input “ — vault-password-file ~ / .vault_pass” every time, so set the password file in the environment variable ANSIBLE_VAULT_PASSWORD_FILE and use it.
# Add to environment variable configuration file
vim ~/.bash_profile
... snip ...
export ANSIBLE_VAULT_PASSWORD_FILE = ~/.vault_pass
... snip ...# Reload to apply what you added
source ~ / .bash_profile# Can be used without --vault-id or --vault-password-file.
ansible-playbook dev.yml
There was also a way to fill in ansible.cfg instead of environment variables.
... snip ...
vault_password_file = ~/.vault_passI tried deleting the environment variable and it worked.
Subsequently, an error occurred when trying to encrypt another variable.
echo -n 'PASSWORD' | ansible-vault encrypt_string --vault-id dev@~/.vault_pass --stdin redmine_password
Usage: ansible-vault encrypt_string [--prompt] [options] string_to_encrypt
... snip ...
command.
ERROR! The vault-ids dev,default are available to encrypt. Specify the vault-id to encrypt with --encrypt-vault-idvault-ids dev and default are valid for encryption. Specify the vault-id using — encrypt-vault-id. As I said, I tried again with — encrypt-vault-id
echo -n 'PASSWORD' | ansible-vault encrypt_string --encrypt-vault-id dev@~/.vault_pass --stdin redmine_password
ERROR! Did not find a match for --encrypt-vault-id=dev@~/.vault_pass in the known vault-ids ['default']Can’t find vault-id? Previously dev and default were valid, but now there is only default. I thought it was because I wrote it with the password file, but I changed it to just dev, but the same error
echo -n 'PASSWORD' | ansible-vault encrypt_string --encrypt-vault-id dev --stdin redmine_password
ERROR! Did not find a match for --encrypt-vault-id=dev in the known vault-ids ['default']When I googled it, there was also a setting value called vault_identity_list.
... snip ...
vault_password_file = ~/.vault_pass
vault_identity_list = dev@~/.vault_pass~ When you run again in addition to ansible.cfg it went well.
echo -n 'PASSWORD' | ansible-vault encrypt_string --encrypt-vault-id dev --stdin redmine_password
Reading plaintext input from stdin. (ctrl-d to end input)
redmine_password: !vault |
$ANSIBLE_VAULT;1.2;AES256;dev
61643061336363643331323437643535356333633439303532646430636534646331373136323234
3034373631396339306466373966643636353430303235320a646635336539646131343264306433
65626333643864636639353833326462323166636434393539613663333365383134366635373337
3866346238313866630a626135663230323462366661653434316361333636353530326231623437
3736
Encryption successfulApparently, — vault-id and — vault-password-file seem to have overlapping uses. When I google, “vault-id vs vault-password-file” is automatically caught as a search keyword. — vault-password-file has an extended function — vault-id, you can use both, but you can go with just — vault-id. That would mean.
I tried deleting vault_password_file from ansible.cfg and it worked.
The vault_identity_list is probably ok with the label name dev. If vault_identity_list is not entered in ansible.cfg, only default will be displayed.
Encrypt the entire file.
groups_var / db.yml contains database connection information.
Encrypt the entire file.
#暗号化
ansible-vault create group_vars/db.yml# File contents after encryption
cat group_vars / db.yml
$ ANSIBLE_VAULT ; 1.1 ; AES256
65656533363866316462313831663032353031626239633333323862323132616239306130303162
3531363266336538376239646430656134363132633339320a636531653933636336306339636666
35373765653935636233353733323538333835316139373632633131326231653838303862346338
3963663332346263340a613932326665303631373932313364623232666535326235383836356336
34373536336139363865633336313762393761386234353830643835376639376662623636363864
37383136396436366231616130376636303039396236343266633930383230363635306332643136
64633865386636636135383363663065396637636435666635653737383061616635616532373865
64343165393335353231363539383635666562653936316264316330373438646564323161303066
34363735323534383461623933333965626634393863386661613030656237346361306336663733
37646531623432336262653030613461653262313831653365323536663034623439363562326365
30356662396231353737346565666230313934343034316333323533313066333130393064323162
31653434383939386164303838623633396665323530633738376262633232346337303661353261
31623463376665383637663466613137313539333366343231303431313434346564366665363062
3034303034653130666531343434346430653030393231373635# Editable in plaintext
ansible-vault edit group_vars / db.yml --vault-password-file ~ / .vault_password# export ANSIBLE_VAULT_PASSWORD_FILE = ~ / .vault_pass
ansible-vault edit group_vars/db.yml
