0

Is there a way to use the ansible.builtin.uri module to post / put an encrypted file while seamlessly decrypting it from the vault? Or is there a safe workaround (i.e. a secure sequence of tasks?).

The use case is to upload a licence file which is stored encrypted with ansible vault in the roles/the_role/files folder of a project.

The ansible.builtin.uri module is able to find the encrypted file, but it does not decrypt it before the upload.

- name: "Nexus Update License: Uploading new License file"
  ansible.builtin.uri:
    url: "http://{{ inventory_hostname }}:{{ nexus_default_port }}{{ nexus_default_context_path | regex_replace('\\/$', '')}}/service/rest/v1/system/license"
    user: "{{ nexus_admin_account }}"
    password: "{{ nexus_admin_password }}"
    headers:
      Content-Type: application/octet-stream
    method: POST
    force_basic_auth: yes
    status_code: 200,204
    src: "license.lic.enc" # this uploads the license still encrypted...

This question is similar, but I cannot use the copy module: How to upload encrypted file using ansible vault?

Fabio
  • 491
  • 3
  • 10
  • Have you tried replacing `src: "license.lic.enc"` with `body: "{{ lookup('ansible.builtin.file','license.lic.enc') }}"`? – HiroCereal Jan 02 '23 at 15:16
  • @HiroCereal, I tried your suggestion, but I get this error which I'm not able to solve: `UnicodeEncodeError: 'utf-8' codec can't encode characters in position 3-4: surrogates not allowed`, so I've posted a workaround – Fabio Jan 03 '23 at 18:07

1 Answers1

0

I wasn't able to find a way to upload a file while decrypting it from the vault on the fly.

One workaround is to upload the file to the remote host, using it and then being sure it is removed in any case.

It is better than decrypting the file on the host running ansible as other users might have access to it, while the task performed by ansible should be quite quick.

# The following is slightly better as it will remove the license after use
- name: "Deploy new license"
  block:
    - name: "Copy license file"
      ansible.builtin.copy:
        src: "{{ nexus_license_file }}"
        dest: "/tmp/license"
        owner: "{{ nexus_os_user }}"
        group: "{{ nexus_os_group }}"
        mode: 0400

    - name: "Nexus Update License ({{ ansible_hostname }}): Uploading new License file"
      ansible.builtin.uri:
        url: "http://{{ inventory_hostname }}:{{ nexus_default_port }}{{ nexus_default_context_path | regex_replace('\\/$', '')}}/service/rest/v1/system/license"
        user: "{{ nexus_admin_account }}"
        password: "{{ nexus_admin_password }}"
        headers:
          Content-Type: application/octet-stream
        method: POST
        force_basic_auth: yes
        status_code: 200,204
        src: "/tmp/license"
        remote_src: true
  always:                         # Always remove the license file
    - name: "Remove license file"
      ansible.builtin.file:
        path: "/tmp/license"
        state: absent
Fabio
  • 491
  • 3
  • 10