Does Ansible vault have to use a password to run

Question

I have been looking into Ansible vault but want to check something incase I have missed a crucial point.

Do you have to run the playbook and provide the password. Encrypting the data seems a great idea but if I share the playbook the person running it will require the password. If they have the password then they can decrypt the file and see the data.

I would like to use it to set passwords for files but would like non admins to be able to run the playbook.

Have I missed something. I am struggling to see its worth if this is the case.

Thanks

That's what Ansible Tower allows you to do - to use secrets without directly sharing them. — Mxx, Jul 19 '15 at 03:35

score 1 · Answer 1 · answered Jul 22 '15 at 07:11

The purpose of the vault is to keep secrets encrypted "at rest" (eg, in your source control repo, on-disk), so that someone can't learn the secrets by getting ahold of the content. As others have mentioned, if you want to delegate use of the secrets without divulging them, you'll need an intermediary like Tower.

score 0 · Answer 2 · answered Jul 21 '15 at 22:21

0

In your case you need something that will be brokering ansible execution. Because like you've said an encryption would be useless if you share the password.

Like it's mentioned in the comment you can use Ansible Tower, or you can try and set a simple http endpoint that will be trigerring ansible based on specified parameters.

answered Jul 21 '15 at 22:21

Vor

33,215
43
135
193

Thanks. Can run deck also be used? – user3086854 Jul 21 '15 at 22:47

Does Ansible vault have to use a password to run

2 Answers2