[ansible-devel] Re: Securing host specific sensitive details using ansible vault and later pushing it to hashicorp vault

Wed, 05 Jul 2023 20:40:28 -0700 

I know it's 4.5-year-old message. Trying to see if I can be of help here.

I am the maintainer of Citrix-adc-ansible-modules (NetScaler) 
-- https://github.com/citrix/citrix-adc-ansible-modules

I have tested working with ansible-vault.

Let me know if you still need help with this.

On Thursday, November 22, 2018 at 1:45:28 PM UTC+5:30 gaurav naithani wrote:

> I am doing Network Automation where we have different flavour of devices 
> like Netscaler, Cisco, Juniper, Fortigate etc. 
> This is DevOps at its best where we will put host details like IP's, user 
> name and password into the inventory file on ansible machine and then 
> create playbooks to carry out use cases like update ssl certficates on all 
> devices, rolling updates etc. 
>
> I need help on designing how to save and secure sensitive details w.r.t. 
> host machines like user name and passwords.
> Currently I am encrypting inventory file with ansible-vault using 
> --ask-vault-pass and --vault-password-file options but both of them fails 
> when I run playbooks with nitro api's 
> with error as:
>  localhost]: FAILED! => {"changed": false, "msg": "nitro exception during 
> login. errorcode=354, message=Invalid username or password"}
>
> basically it does not accept encrypted password, same playbook works when 
> I try un-encrypted host file. 
>
> Second problem is lets assume it works and then I have this vault-password 
> file with plain text so how to push it to hashicorp vault. I am planning to 
> use vault write command to save this vault password file to path and then 
> use lookup modules to read secret. 
>
> Is it justified to have two vaults to save passwords or should I straight 
> away save my inventory file in hashicorp vault and run ansible-playbook 
> command pointing to that inventory. Glad if someone can share code or 
> command snippets to explain.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-devel/4364ef2e-0381-4f56-a64b-7673504f2462n%40googlegroups.com.

Reply via email to