How to decrypt single encrypted variables in a Jinja2 template file in Ansible

Question

Having a file in the inventory named myFile.properties.j2 that is used in a task in one of the roles that a playbook uses

Content of the file :

my.super.pwd=nope
my.otherSuper.pwd= !vault |
  $ANSIBLE_VAULT;1.1;AES256
  38663664363362333264343934373066623330373736646232663337353062383731346234363937
  3131633062366462643261323333303438333330343231370a626639333066303562373964633035
  30653433303165333734386131353861366637393430636364386439386666363331656330393830
  3961666132396561350a326266633462653335626466623464316461313061373532633136353734
  30613030363837333833656239626236323036356265313435636232633031323432626338663838
  33663135346364316135386239663063623363656661643635353032636365663464356235396466
  663633333832623963393334633666383964
and.antoher= !vault |
  $ANSIBLE_VAULT;1.1;AES256
  38663664363362333264343934373066623330373736646232663337353062383731346234363937
  3131633062366462643261323333303438333330343231370a626639333066303562373964633035
  30653433303165333734386131353861366637393430636364386439386666363331656330393830
  3961666132396561350a326266633462653335626466623464316461313061373532633136353734
  30613030363837333833656239626236323036356265313435636232633031323432626338663838
  33663135346364316135386239663063623363656661643635353032636365663464356235396466
  663633333832623963393334633666383964
another.pwd.net=nope
and.another.pwd=nope

The task that is using it :

- name: "Template the secrets files"
  template:
    src: "{{ item.src }}"
    dest: "{{ somewhere }}/{{ item.path | basename | regex_replace('.j2$', '') }}"
    force: true
    mode: '0440'
    owner: "{{ somebody }}"
    group: root
  with_filetree: "{{ some_dir }}"
  when: item.state == 'file'

The problem is that once the playbook is played, the file remain like it is and none secret is decrypted.

Any ideas please ?

If i vault all the file it works fine, but when i try to only vault the variables it is not working, the file remain the same.

Please read the [how to ask](https://stackoverflow.com/help/how-to-ask) page, and pay especial attention to the [MCVE](https://stackoverflow.com/help/mcve) section since the example you provided is not executable, and your description is all over the place. You can use a vault password of `password` and disposable data for your example, but focus on the "M" and the "E". Good luck — mdaniel, Dec 30 '22 at 01:21
is the encrypted value set in the template? that will not work, you'll need to set it as a variable (i.e. the inventories, the defaults of the roles, or a `set_fact` in the role or playbook; the template file will have only the reference to the variable with the "moustaches" format: `config = {{ your_variable_name }}` — Carlos Monroy Nieblas, Dec 30 '22 at 01:24
Thank you @CarlosMonroyNieblas, i've tried it but i have a lot of variables in this j2 file, there is no way to do as so ```key= vaulted value``` ? — Faycal Said, Jan 02 '23 at 07:51

score 0 · Answer 1 · answered Jan 02 '23 at 19:10

0

Ansible does decrypt all variables itself, no need for your do do it but you must keep the secrets inside ansible vaults of ansible files supporting vaulted values (vars, plays, tasks).

answered Jan 02 '23 at 19:10

sorin

161,544
178
535
806

1

Thank you, I decided to encrypt all the file (that is stored in the files directory in the inventory) it was much easier, but it could be helpful to have the possibility to only encrypt a value in other than YAML files. – Faycal Said Jan 03 '23 at 13:06

How to decrypt single encrypted variables in a Jinja2 template file in Ansible

1 Answers1