1

Is there a way to access the vault password as a variable in an Ansible playbook? I am looking for something like this:

---

debug: var=ansible_vault_password
Thomas
  • 793
  • 1
  • 8
  • 16
  • 1
    Looks like an attempt to steal vault password. – Konstantin Suvorov Mar 27 '17 at 10:28
  • I want to setup ansible pull on a server. This server needs to know the vault password. So I want to create a file on the server with the contents of this variable. The code above is just an example of a variable name I want to access. – Thomas Mar 27 '17 at 10:44
  • And for that you need to access the password provided to Ansible Vault? Really? – techraf Mar 27 '17 at 10:54
  • I'm genuinely curious why there's scepticism here. We have an initial deployment playbook using Vault for some sensitive info. We also re-run the same playbook daily via ansible-pull to keep environments up to date. Seems to me we need to provide the password to ansible-pull, which means reading it from a var into a file on the (secure) server in the first place. What am I missing? – hillsy Apr 05 '17 at 09:54

2 Answers2

1

I ended up solving this by copying the local vault password file to the server. The task to do that looks like that: 

- name: setup ansible vault password file
  copy:
    src: /path/to/local/vault_pass
    dest: /root/.vault_pass
    mode: 0600
    owner: root
    group: root

And then the root user will execute the ansible-pull command.

Thomas
  • 793
  • 1
  • 8
  • 16
  • 1
    We didn't quite do that, because /path/to/local/vault_pass would end up in source control along with all our other Ansible config. Which would defeat the purpose of using Vault. But it does seem there's no good way to do this except already having the vault password in a file on the server. So we've "pre-deployed" the password file to the template used to create all our VMs. Not ideal, but it works. – hillsy May 08 '17 at 09:32
  • 1
    The `vault_pass` file is excluded from the repository through the ignore file in our case. – Thomas May 09 '17 at 14:25
  • This doesn't answer the question :/ – Kostas Mouratidis Mar 18 '22 at 21:51
0

Try to save the password into a different file and use "vars_files" to include the password. Example:

In Password.yml:

ansible_vault_password: redhat

In Playbook.yml:

Host: xyz

vars_files: password.yml

tasks:

   debug:

       var: "{{ ansible_vault_password }}"

Try this and please let me know.

halfer
  • 19,824
  • 17
  • 99
  • 186
Mohit Dhingra
  • 51
  • 6