0

I'm writing an Ansible playbook and role that will be used in various envs, both WAN and LAN. In my role I have a default credentials yaml file which contains passwords using Ansible Vault in-line encryption:

default_username_for_something: "the_username"
default_password_for_something: !vault |
          $ANSIBLE_VAULT;1.2;AES256;dev
          30613233633461343837653833666333643061636561303338373661313838333565653635353162
          3263363434623733343538653462613064333634333464660a663633623939393439316636633863
          61636237636537333938306331383339353265363239643939666639386530626330633337633833
          6664656334373166630a363736393262666465663432613932613036303963343263623137386239
          6330

This approach works great when working in my own env, but not so when others try to use my role - because they do not have access to my Ansible Vault, they do not have these secret password values.

What is a way I could encrypt my passwords in this default credentials file WITHOUT using Ansible Vault? It doesn't have to be the most secure thing in the world - just a simple mechanism that would prevent the password from appearing as plaintext before and after a run of the role.

Thanks in advance!

Amit Chameides
  • 1
  • 3
    You just dont encrypt passwords in a default role file your are going to share. You put a dummy value in there and then encrypt your own passwords in your own inventory/playbook. Your users will do the same in their own installation when using your role. – Zeitounator Nov 05 '20 at 15:12
  • 1
    If it's just simple obfuscation you want, you can base64 encode the string and then use `b64decode` to recover the cleartext; you'd want `no_log: yes` on any tasks that touch that value to keep it out of the logs, too – mdaniel Nov 05 '20 at 17:08

0 Answers0