2

I would like to do something like

ansible-playbook myPlaybook.yml -i myHostFile

instead of

ansible-playbook myPlaybook.yml -i myHostFile --ask-vault-pass
Laurel
  • 5,965
  • 14
  • 31
  • 57
Alves Gustavo
  • 75
  • 6
  • 2
    Does [Configuring defaults for using encrypted content](https://docs.ansible.com/ansible/latest/user_guide/vault.html#configuring-defaults-for-using-encrypted-content) answer your question? – U880D Dec 14 '21 at 07:28
  • @U880D thanks but the vault_pass.txt is displayed in plain text how to encrypt it? – Alves Gustavo Dec 14 '21 at 08:09
  • `DEFAULT_VAULT_PASSWORD_FILE` and `DEFAULT_VAULT_IDENTITY_LIST` can take a path to an executable file which prints the password to `stdout`. As an example, you can study the [`vault-keyring-client.py` script provided by ansible community](https://github.com/ansible-community/contrib-scripts/blob/main/vault/vault-keyring-client.py) which reads a password from your linux session keystore. You can adapt the concept to whatever password storage system you want to use. – Zeitounator Dec 14 '21 at 08:28
  • Meanwhile, if you want to automate the use of vault with an encrypted password, you will need at some point to have access to whatever system is containing the password which will require a shared secret stored one way or an other (i.e. a credential stored in awx/tower, an session opened by a user who previously unlocked the keystore...) – Zeitounator Dec 14 '21 at 08:38
  • add `vault_password_file: /PATH/TO/FILE` to the `ansible.cfg`. I'd recommend the same as @Zeitounator, or just encrypt vault-password file using gpg and add the script for decrypting it to `vault_password_file`. – user1098490 Dec 14 '21 at 08:40
  • What is the exact requirement? Do you need not to get prompted for a password, or not use the `--ask-vault-pass` specifically on command line? – GeralexGR Dec 14 '21 at 08:45
  • I don't want to use ask-vault-pass every time I should launch a playbook. And I want the password to be stored and encrypted – Alves Gustavo Dec 14 '21 at 09:23

1 Answers1

5

Your requirement is not clear. Following my comments, this answer is a specific example of how to secure your vault passwords inside your gnome linux session keyring using the vault-keyring-client.py script provided by ansible community contribs (hoping it will give you some ideas of how to fix the problem in your specific case).

  1. Make sure you have the required dependencies to run the script 
    pip install keyring
  2. Install the contrib script somewhere in your path (the given path is just an example, use one suited to your situation) 
    cd $HOME/bin
curl -o vault-keyring-client https://raw.githubusercontent.com/ansible-community/contrib-scripts/main/vault/vault-keyring-client.py
chmod 0700 vault-keyring-client
  3. Create your vault id passwords in your session keystore using the script. The password is asked interactively and stored. You can see them browsing the login keyring after launching seahorse (i.e. "Passwords and keys"). 
    vault-keyring-client --set --vault-id yourid1
vault-keyring-client --set --vault-id yourid2
  4. Configure ansible to use that script for those ids. If an encrypted content is found without an id, they will be tried in order. You probably want to define a default id to encrypt the content. Add the following lines to your .bashrc (or whatever shell you use...) 
    export ANSIBLE_VAULT_IDENTITY_LIST=yourid1@$HOME/bin/vault-keyring-client,yourid2@$HOME/bin/vault-keyring-client
export ANSIBLE_VAULT_ENCRYPT_IDENTITY=yourid1
  5. Encrypt some content 
    # using the default encrypt vault-id
ansible-vault encrypt somefile
ansible-vault encrypt_string "somestring"
# using an other vault-id than default
ansible-vault encrypt --encrypt-vault-id yourid2 somefile
ansible-vault encrypt_string --encrypt-vault-id yourid2 "somestring"
  6. You can now use any playbook or adhoc command in need of a configured vault password from your openned session without having to provide it interactively 
    ansible-playbook -i your_inventory your_playbook
ansible-playbook -i your inventory somehost -m debug -a "msg={{ some_encrypted_var }}"
Zeitounator
  • 38,476
  • 7
  • 53
  • 66