3

I have a job in Rundeck, which require users to pass in database password to ansible. And ansible will take it as an extra variable.

ansible-playbook test.yml -e "password=123"

However, we would like to vault the password during the runtime, but from ansible's best practice. They would require the password to be stored in a file. and vault the entire file using ansible-vault create.

Since we have a large number of the password to pass in, and I notice there is a function call encrypt_string. I try to call it in a playbook and try to generate a vault password on the fly, but I'm getting error below:

"ERROR! Only one --vault-id can be used for encryption. This includes passwords from configuration and cli."

Here is my playbook test.yml:

---
- name: test
  hosts: localhost
  tasks:
  - name: vault var
    command: ansible-vault encrypt_string "{{ password }}" --vault-password-file ~/.vault_pass.txt
    register: var

  - name: variable
    set_fact:
      mypass: var

  - name: test encrypt_string
    debug:
      msg: "{{ mypass }}"

I'm not sure if this is the correct way to do it/best practice, anyone can shed some light will be very appreciated.

Thanks,

Jervis Lin
  • 151
  • 1
  • 3
  • 11

1 Answers1

0

You may update your task by removing option --vault-password-file as ansible seems getting/reading it from your environment some way.

...
...
- name: test
  hosts: localhost
  tasks:
  - name: vault var
    command: ansible-vault encrypt_string "{{ password }}" 
    register: var
...
...

If you prefer to keep this option in playbook, you may need to find where ansible is reading it from. Ansible may be reading it from it's default config file, generally found at ~/.ansible.cfg [look for vault_password_file] or alias or somewhere else.

You may find more details at ansible vault documentation with examples.

Robert Ranjan
  • 1,538
  • 3
  • 19
  • 17