Editing Ansible vault file from a playbook

Question

I have ansible encrypted vault file and have userid and passwords stored in it. I am creating a playbook to change passwords in that file.

I tried to use lineinfile but the text is getting added at then of the encrypted text.

Is there a possibility to edit a vault file thru a playbook

Vault files can be edited thru ansible-vault edit. Not thru vi filename. Vault file contents.

  user1:"abc$123098"
  user2:"qwe$123098"

I wanted to replace user2 line in the vault file.

  ansible code
  - name: chainging vault file
    lineinfile:
      path: /path/testvault.yaml
      regexp: '^user1:'
      line: 'user1:lkjh$123098'

score 4 · Answer 1 · answered Nov 05 '20 at 21:49

4

As you have discovered, you can't use lineinfile to edit the file. The file is encrypted, and lineinfile is designed to work with plain text files.

Your only option would be to:

Decrypt the file and store the contents in a variable (or a temporary file)
Modify the un-encrypted data
Re-encrypt the data and store it back in the file

Maybe something like:

- hosts: localhost
  gather_facts: false
  tasks:
    - name: read data from vaulted file
      command: >-
        ansible-vault view users.txt
      register: cleartext

    - name: update user1 password
      set_fact:
        newtext: >-
          {{ newtext + [item|regex_replace('user1:.*', 'user1:"newsecret"')] }}
      loop: "{{ cleartext.stdout_lines }}"
      vars:
        newtext: []

    - name: write data to file
      command: >-
        ansible-vault encrypt --output users.txt
      args:
        stdin: "{{ '\n'.join(newtext) }}"

Given an encrypted input file with the contents:

user1:"qwe$123098"
user2:"qwe$123098"

After running the playbook, the file will instead contain the encrypted version of:

user1:"newsecret"
user2:"qwe$123098"

This propbably requires that ansible-vault is able to determine the vault secret non-interactively.

I've put a runnable example here.

answered Nov 05 '20 at 21:49

larsks

277,717
41
399
399

How to include users.txt file in the playbook? I'm getting a error fatal: [XXXXX]: FAILED! => {"changed": false, "cmd": "ansible-vault view USERS.yml", "msg": "[Errno 2] No such file or directory: b'ansible-vault': b'ansible-vault'", "rc": 2} – Dayanand Dhumala Feb 02 '23 at 15:52
1

It looks like you don't have Ansible properly installed. The `ansible-vault` command is a standard Ansible component. You probably want to open a new question, and include some details about how you've set up your environment. – larsks Feb 02 '23 at 15:58
@larsks Is it possible to have this be passed a value, rather than hard code it in? For example I tried changing newsecret to {{ new_secret }} and had called it by doing `ansible-playbook update_vault.yml -e 'new_secret=ThisIsANewSecret'` however it didn't work, it replaced it with {{ new_secret }} directly. – Jibril Feb 06 '23 at 16:28
1

It is absolutely possible, but remember that you never nest `{{...}}` markers. To refer to a variable in a template, you just reference the variable. You'll probably need to use some form of string formatting: `regex_replace('user1:.*', 'user1:%s' % (new_secret))`. – larsks Feb 06 '23 at 16:32
@larsks This worked beautifully, thank you! I did forget about that nesting rule. Final question if you dont mind since you seem relatively versed on ansible. I am embedding this update in a Python script which will call it. Part of that Python script has the user, at some point, enter the Vault Password. This process of updating the Vault File requires you to enter the vault password 3 times. Are you aware of a way to programmatically provide calls to ansible-vault the vault password during the call? So the user doesn't have to sit there and wait for the prompt to appear multiple times? – Jibril Feb 06 '23 at 16:37
1

That seems like a new question. If you open one here I'd be happy to take a look. – larsks Feb 06 '23 at 16:38
@larsks Reasonable, done : https://stackoverflow.com/questions/75364155/ansible-python-programmatically-provide-ansible-vault-the-vault-password Thank you for your time and patience. – Jibril Feb 06 '23 at 16:41
1

if this answer helped out, please take a moment to mark it as "accepted" by checking the checkmark to the left of the answer. – larsks Feb 06 '23 at 16:53
@larsks To pick your brain on it once more, the solution you provided and in your git requires you to also confirm the password of the new file at runtime. If there is a way around that as well (making the entire process automatic) Id be interested to know – Jibril Feb 06 '23 at 21:44

Editing Ansible vault file from a playbook

1 Answers1

Linked