{{tag>ansible encryption}}
====== Encrypt content with Ansible Vault ======
This will store the password in system keyring and an ansible script will use that password for encryption/decryption. This assumes ansible was installed with pip:
pip3 install --user ansible
Link the python3 executable to python
sudo ln -s /usr/bin/python3 /usr/bin/python
or install ''python-is-python3'' package
sudo apt install python-is-python3
otherwise the script won't work.
===== Create and store password =====
/home/user/.local/lib/python3.8/site-packages/ansible_collections/community/general/scripts/vault/vault-keyring-client.py --set
Then set your password.
After you should see it in Gnome's Password and Keys program.
===== Encrypt a string =====
ansible-vault encrypt_string --vault-id ansible@/home/user/.local/lib/python3.8/site-packages/ansible_collections/community/general/scripts/vault/vault-keyring-client.py "woo" --name "my_var"
Output:
my_var: !vault |
$ANSIBLE_VAULT;1.2;AES256;ansible
38376665323730326432343039383138303136616536363034643261643139633037363533366430
3366303933316634653233353333643831313737376236380a643632313233613136623434656463
32353764616639353434313936663832396364663562306562396262643935316533333630643866
3531643764386562350a666464393362623438626462363262353662366263343265386464326165
3865
Encryption successful
You can then copy above as variable in a playbook.
===== Example playbook =====
''site.yml''
Example for encrypting hosts "woo" group:
---
- name: My playbook
vars:
my_var: !vault |
$ANSIBLE_VAULT;1.2;AES256;ansible
38376665323730326432343039383138303136616536363034643261643139633037363533366430
3366303933316634653233353333643831313737376236380a643632313233613136623434656463
32353764616639353434313936663832396364663562306562396262643935316533333630643866
3531643764386562350a666464393362623438626462363262353662366263343265386464326165
3865
hosts: "{{ my_var }}"
tasks:
- name: Installing python-minimal
raw: test -e /usr/bin/python || (apt-get -y update && apt-get install -y python-minimal)
register: result
changed_when: "result.rc != 0"
- name: Updating package cache and installing column and aptitude
apt:
update_cache: yes
name: ['bsdmainutils', 'aptitude']
state: latest
...
Above will run on hosts in "woo" group.
===== Run playbook with encrypted variable =====
ansible-playbook --vault-id ansible@/home/user/.local/lib/python3.8/site-packages/ansible_collections/community/general/scripts/vault/vault-keyring-client.py site.yml
====== Tested on ======
* Ubuntu 20.04.2 LTS
* ansible [core 2.11.3]
* python version = 3.8.10
====== See also ======
====== References ======
* https://stackoverflow.com/questions/3655306/ubuntu-usr-bin-env-python-no-such-file-or-directory/61608129
* https://docs.ansible.com/ansible/latest/user_guide/vault.html#vault