0

I have the following ansible role:

- name: Get latest code from repository
  git:
    repo: 'https://{{ username }}:{{ password }}@{{ repository }}'
    dest: "{{ destination }}"
    force: yes

While username and repository can be variables, I am puzzled over how to retrieve password from ansible vault. Any advice and insight is appreciated.

Kok How Teh
  • 3,298
  • 6
  • 47
  • 85

1 Answers1

2

First, create a YAML file in vars/ folder (it can be in any folder, host_vars or group_vars are also valid, depending of what type of variables you're keeping) containing your variables. Let's call it vars/git-data.yml. Then, encrypt it using Vault with:

ansible-vault encrypt vars/git-data.yml

A password will be required. Remember it.

Then, you have two options for including your variables while running your playbook:

  • Option A: Including them in your playbook:
--- 
- hosts: localhost
  connection: local
  vars_files:
    -  vars/git-data.yml
  tasks:
    - name: Print variable
      ansible.builtin.debug:
       msg: "{{ username }}"
  • Option B: Referring them while you call ansible-playbook:
ansible-playbook --ask-vault-pass -e @vars/git-data.yml cloning-repository.yml

Vault's password will be asked. You can also use --vault-password-file ${file} or ANSIBLE_VAULT_PASSWORD_FILE environment variable indicating a password containing a password file.

Best regards.

Stefano Martins
  • 472
  • 2
  • 7
  • Is encrypting a .yml which contains the username/password the only option? How about `ansible-vault create --vault-id myid@vault-secret group_vars/myid/myid_vault.yml`? – Kok How Teh Apr 22 '21 at 11:04
  • `ansible-vault create` creates the file if it doesn't exist. Vault ID enables you to use multiple passwords for the file you're encrypting. But yeah, AFAIK, it's the only option. Storing it into `group_vars/myid` won't work, since `myid` should be your group's name defined in your inventory. – Stefano Martins Apr 22 '21 at 11:12
  • Also, if you're using `host_vars/` or `group_vars/` to store your variables, Ansible automatically will try to load them based by host or group on your inventory. Again, it kinda depends on how you're organizing your project. – Stefano Martins Apr 22 '21 at 12:09
  • `myid` is a group in my previous comment. My question was if `ansible-vault encrypt group_vars/mygroup/git-data.yml` is the only option? Can I use `ansible-vault create --vault-id myid@vault-secret group_vars/mygroup/mygroup_vault.yml` and get the `password` from `mygroup_vault.yml`? – Kok How Teh Apr 23 '21 at 01:24
  • Sure. Vault's agnostic and doesn't care where's your playbook's reading its variables from. You can even pass variables files with `-e @path/to-variable/file.yml`. – Stefano Martins Apr 23 '21 at 02:04
  • How is it different from `ansible-vault encrypt group_vars/mygroup/git-data.yml`? How do I achieve my objective with `ansible-vault create ...`? – Kok How Teh Apr 23 '21 at 02:11
  • `ansible-vault create ...` creates a encrypted file with Vault. You can create an YAML file and encrypt it later with `ansible-vault encrypt` with no problem whatsover. Imagine Vault as a mechanism to secure sensitive data in Ansible's files through encryption. Storing your variables in `group_vars/`, `host_vars/`, `vars/` or any other file, will change variable precedence, for instance. Also, that variable will be set for all hosts in that group if you set inside the `group_vars/` folder. – Stefano Martins Apr 23 '21 at 02:44