Use of --ask-vault-pass on Jenkins pipeline

Question

I am using ansible-vault in a playbook and I want to call it from Jenkinsfile. I have read that you can have the password in a file and just call it like that but I want to do it using the --ask-vault-pass.

I created the credential (secret text) on Jenkins and I want to use it but I don't know how. Been searching around the internet but all I see are questions regarding the usage of the ansible-vault password in a file.

This would be the code:

pipeline {
    agent none

    environment {
        ANSIBLE_VAULT=credentials('ansiblevault')
    }

    stages {
        stage ('Start docker node via Ansible') {
            agent { label 'ansible_slave' } 
            steps {
                sh 'ansible-playbook /etc/ansible/instance_start_stop.yml --ask-vault-pass -i hosts --user user1 --key-file /home/user1/.ssh/id_rsa'
            }
        }
    }
}

How could I use the credential in this case? Thanks!

This would possibly defeat the purpose of having it as a secret because you would have to have it in the scripts steps and so it would appear in the logs of Jenkins. — β.εηοιτ.βε, Feb 19 '22 at 12:37
So then it would be best to have a file with the password to ansible vault? Wouldnt that be accessible as well ? — josegp, Feb 19 '22 at 12:44
Use the ansible plugin for jenkins and just configure the id of your password credential in the given step. Asking for password interactively in a pipeline is definitely a bad idea. — Zeitounator, Feb 19 '22 at 14:14
What Zeitounator said, or one will observe there are environment variables and a [`--vault-password-file`](https://docs.ansible.com/ansible/2.10/user_guide/vault.html#passing-a-single-password) designed to supply the password non-interactively, including from some script, which allows supporting all kinds of workflows — mdaniel, Feb 19 '22 at 19:01
Yeah, thanks everyone for the replies! I already implemented it and it is working nicely! :) — josegp, Feb 20 '22 at 03:00
Then please [post and accept your own answer](https://stackoverflow.com/help/self-answer) otherwise you have become one of the [tropes of the Internet](https://xkcd.com/979/) — mdaniel, Feb 20 '22 at 18:55

score 3 · Accepted Answer · answered Feb 21 '22 at 04:18

Thanks Zeitounator and β.εηοιτ.βε for your replies!

I tried this:

withCredentials([file(credentialsId: 'ansible_password', variable: 'ansibleVaultKeyFile')]) {
                    ansiblePlaybook playbook: 'instance_start_stop.yml', inventory: 'hosts', extras: "--user user1 --vault-password-file ${ansibleVaultKeyFile} --key-file /home/user1/.ssh/id_rsa'"

But there was a problem of not having the right permissions since the user I am doing the command with, is not root. So I needed the sudo. I tried using sudoUser but to no avail.

So this is how I implemented it in the end:

withCredentials([file(credentialsId: 'ansible_password', variable: 'ansibleVaultKeyFile')]) {
                    sh 'sudo ansible-playbook /etc/ansible/instance_start_stop.yml --vault-password-file ${ansibleVaultKeyFile} -i /etc/ansible/hosts --user user1 --key-file /home/user1/.ssh/id_rsa'
                }

Use of --ask-vault-pass on Jenkins pipeline

1 Answers1