wiki:encrypt_content_ansible_vault
Table of Contents
Encrypt content with Ansible Vault
This will store the password in system keyring and an ansible script will use that password for encryption/decryption. This assumes ansible was installed with pip:
pip3 install --user ansible
Link the python3 executable to python
sudo ln -s /usr/bin/python3 /usr/bin/python
or install python-is-python3 package
sudo apt install python-is-python3
otherwise the script won't work.
Create and store password
/home/user/.local/lib/python3.8/site-packages/ansible_collections/community/general/scripts/vault/vault-keyring-client.py --set
Then set your password.
After you should see it in Gnome's Password and Keys program.
Encrypt a string
ansible-vault encrypt_string --vault-id ansible@/home/user/.local/lib/python3.8/site-packages/ansible_collections/community/general/scripts/vault/vault-keyring-client.py "woo" --name "my_var"
Output:
my_var: !vault |
$ANSIBLE_VAULT;1.2;AES256;ansible
38376665323730326432343039383138303136616536363034643261643139633037363533366430
3366303933316634653233353333643831313737376236380a643632313233613136623434656463
32353764616639353434313936663832396364663562306562396262643935316533333630643866
3531643764386562350a666464393362623438626462363262353662366263343265386464326165
3865
Encryption successful
You can then copy above as variable in a playbook.
Example playbook
site.yml
Example for encrypting hosts “woo” group:
--- - name: My playbook vars: my_var: !vault | $ANSIBLE_VAULT;1.2;AES256;ansible 38376665323730326432343039383138303136616536363034643261643139633037363533366430 3366303933316634653233353333643831313737376236380a643632313233613136623434656463 32353764616639353434313936663832396364663562306562396262643935316533333630643866 3531643764386562350a666464393362623438626462363262353662366263343265386464326165 3865 hosts: "{{ my_var }}" tasks: - name: Installing python-minimal raw: test -e /usr/bin/python || (apt-get -y update && apt-get install -y python-minimal) register: result changed_when: "result.rc != 0" - name: Updating package cache and installing column and aptitude apt: update_cache: yes name: ['bsdmainutils', 'aptitude'] state: latest ...
Above will run on hosts in “woo” group.
Run playbook with encrypted variable
ansible-playbook --vault-id ansible@/home/user/.local/lib/python3.8/site-packages/ansible_collections/community/general/scripts/vault/vault-keyring-client.py site.yml
Tested on
- Ubuntu 20.04.2 LTS
- ansible [core 2.11.3]
- python version = 3.8.10
See also
References
wiki/encrypt_content_ansible_vault.txt · Last modified: 2021/08/13 15:25 by antisa