1

My goal is to add task

- name: Log into DockerHub
  command: docker_login
  username: myname
  password: ********

I tried to add to vars

  vars:
    ansible_python_interpreter: '{{ ansible_playbook_python }}'
    image_name: docker-nextjs-dev
    secrets: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    66386565316361613962653530666266613632656366333032636661363765386462373038376438

and changed

- name: Log into DockerHub
  command: docker_login
  username: docker
  password: "{{ secrets }}"

When I run

ansible-playbook --ask-vault-pass secrets.yml

and put my password

ERROR! A playbook must be a list of plays, got a <class 'ansible.parsing.yaml.objects.AnsibleUnicode'> instead

The error appears to be in '/home/miki/prac/ansible-for-kubernetes/hello-go-automation/secrets.yml': line 1, column 1, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


$ANSIBLE_VAULT;1.1;AES256

How do I pass secrets.yaml as var in playbook?

Zeitounator
  • 38,476
  • 7
  • 53
  • 66
Richard Rublev
  • 7,718
  • 16
  • 77
  • 121

1 Answers1

2

Q: "How to pass secrets.yaml as var in the playbook?"

A: You can't provide the vault password "as var in the playbook". See Running a Playbook With Vault. In your example, you use a file to provide the vault password

shell> ansible-playbook --ask-vault-pass secrets.yml

This is wrong. Use the option --vault-password-file if you want to provide the vault password from a file

shell> ansible-playbook --vault-password-file secrets.yml

See also: Using vault in playbooks.

The error

ERROR! A playbook must be a list of plays, ...

is a syntax problem and is not related to the Ansible vault.

Once you decided how to provide the vault password the Ansible vault works as expected. For example, encrypt a string (the vault password provided via environment ANSIBLE_VAULT_PASSWORD_FILE)

shell> ansible-vault encrypt_string foo_bar_baz
Encryption successful
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          37623535633063303662346335316537333831643539353037393731373438356634643561623064
          6335636535393836633364396433663131653561313261380a323664386133633861323863393834
          34636666333431623632366134663133383930653135393164353732373634343631313733396664
          3537666431376432300a643666393733383262613438313563396662323933303465613530666565
          3934

Use it in a play

- hosts: localhost

  vars:
    passwd: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          37623535633063303662346335316537333831643539353037393731373438356634643561623064
          6335636535393836633364396433663131653561313261380a323664386133633861323863393834
          34636666333431623632366134663133383930653135393164353732373634343631313733396664
          3537666431376432300a643666393733383262613438313563396662323933303465613530666565
          3934

  tasks:

    - debug:
        var: passwd

gives (abridged)

TASK [debug] *********************************************************************************
ok: [localhost] => 
  passwd: foo_bar_baz

You can put the variable into a file

shell> cat passwd.yml 
passwd: foo_bar_baz

Encrypt the file

shell> ansible-vault encrypt passwd.yml 
Encryption successful

shell> cat passwd.yml 
$ANSIBLE_VAULT;1.1;AES256
63383736626439363062383861363933366266653731303833343862663764303763663763336338
3933373263663764323433653264633565613061643366350a613632646137343866626566393563
35326431303061633734343538613339636466313036373931613130323835656336643665343936
6463306466373639370a636239316135653933386532346536623761336561313739363362353534
34373763363735303136373766343838663566393039353132333032646139353235

Use it in a play

shell> cat pb.yml
- hosts: localhost

  vars_files:
    - passwd.yml

  tasks:

    - debug:
        var: passwd

gives (abridged)

TASK [debug] *********************************************************************************
ok: [localhost] => 
  passwd: foo_bar_baz

Best practice is to limit the scope of the secrets. For example, limit the scope of the variable passwd to the task where you use it. Put the password into a plaintext

shell> cat passwd.txt
foo_bar_baz

Encrypt the file

shell> ansible-vault encrypt passwd.txt
Encryption successful

shell> cat passwd.txt
$ANSIBLE_VAULT;1.1;AES256
33313232663733653465373064353230646332393366356433373333396430623138336162366366
6238316131666635623664323630316430393361383365370a633934323330386233353931333431
64666133323238323462383039626261643066383866353438363964383634376164366463303435
3133643766343763330a653563643338653638393934396131663066306634386235626230646237
6439

and use it in a task

    - debug:
        var: passwd
      vars:
        passwd: "{{ lookup('file', 'passwd.txt') }}"

gives

TASK [debug] *********************************************************************************
ok: [localhost] => 
  passwd: foo_bar_baz
Vladimir Botka
  • 58,131
  • 4
  • 32
  • 63