How do I use an encrypted variable (ansible_ssh_pass) in an INI file?

Question

I am reading this page and if I drop the following text in an file in the Inventory folder :

[vyos:vars]
ansible_connection=network_cli
ansible_network_os=vyos
ansible_user=my_vyos_user
ansible_ssh_pass= !vault |
       $ANSIBLE_VAULT;1.2;AES256;my_user
       66386134653765386232383236303063623663343437643766386435663632343266393064373933
       3661666132363339303639353538316662616638356631650a316338316663666439383138353032
       63393934343937373637306162366265383461316334383132626462656463363630613832313562
       3837646266663835640a313164343535316666653031353763613037656362613535633538386539
       65656439626166666363323435613131643066353762333232326232323565376635

I am getting this error message

[WARNING]:  * Failed to parse /home/myuser/Ansible/Inventory/pwdtest
with ini plugin: /home/cristi/Ansible/Inventory/pwdtest:9: Expected
key=value, got: $ANSIBLE_VAULT;1.2;AES256;my_user

I think the issue comes down to assigning a multiline string to a variable in an INI file

Does anybody have any idea how I can use this? I can use the above in a YAML file format but I would like to keep consistency and use YAML everywhere

Add information to question (not in the comments), the relevant ansible code and the complete command you use to launch the playbook — Baptiste Mille-Mathias, Aug 09 '18 at 16:49

techraf · Accepted Answer · 2018-08-09T18:49:27.383

How do I use an encrypted variable (ansible_ssh_pass) in an INI file?

You can't.

The documentation page you linked to, seems to be blatantly wrong.

For a start, !vault tag and | character in the output of ansible-vault belong to YAML syntax and there is no way they could ever work in an INI-format inventory.

It seems also, that the function AnsibleVaultEncryptedUnicode, which decrypts the value, is called only from the YAML parser, so there is no way to modify the value (like single line, no tag) in the INI-format inventory.

You can either:

write your inventory in YAML, whole or a part of it, if you use a directory and split the inventory into multiple files

create a directory group_vars in the same directory as your inventory file and put a file vyos.yml inside with the following content:

ansible_connection: network_cli
ansible_network_os: vyos
ansible_user: my_vyos_user
ansible_ssh_pass: !vault |
  $ANSIBLE_VAULT;1.2;AES256;my_user
  66386134653765386232383236303063623663343437643766386435663632343266393064373933
  3661666132363339303639353538316662616638356631650a316338316663666439383138353032
  63393934343937373637306162366265383461316334383132626462656463363630613832313562
  3837646266663835640a313164343535316666653031353763613037656362613535633538386539
  65656439626166666363323435613131643066353762333232326232323565376635

How do I use an encrypted variable (ansible_ssh_pass) in an INI file?

1 Answers1

Linked

Related