ansible-vault: possible to not decrypt file

Question

I would like to deploy encrypted (by ansible-vault) files using ansible without providing the vault password. The files should remain encrypted and only be decrypted on the server if needed (using a separate script).

Is that possible somehow?

Some more explanation: I am using the Ansible script to set up a CI server (bamboo, jenkins). Passwords should not live in plain text on that server, they should be decrypted on the fly when used to add another layer of security.

Downvoting without commenting sucks. What's wrong with the question? — kev, Oct 11 '17 at 22:28

kev · Answer 1 · 2017-10-11T22:30:48.570

0

I found it in the latest version (2.4). There is a decrypt flag for the copy module, see here. This is how I use it:

<role>/tasks/main.yml

- name: Copying (encrypted) Vault Content
  copy:
    src: "templates/vault/"
    dest: "{{vault_folder}}"
    directory_mode: yes
    decrypt: no

On the server, I am using this line in a script to get the decrypted content of the file:

ansible-vault decrypt <vault_folder>/<file> --output -

edited Oct 11 '17 at 22:30

answered Oct 11 '17 at 06:26

kev

8,928
14
61
103

can you share the example tasks, so that it will help other – Arbab Nazar Oct 11 '17 at 12:02

ansible-vault: possible to *not* decrypt file

1 Answers1

ansible-vault: possible to not decrypt file