I'm running Ansible 2.6.2 and trying to wrap my head around the --vault-id
and multiple vault passwords
<https://docs.ansible.com/ansible/latest/user_guide/vault.html#vault-ids-and-multiple-vault-passwords>
.
As I understand it, the usefulness it is bringing is that different users
can have their playbook decrypt their teams version of the variable and we
don't have to create different vaulted files for each environment. I'm
having trouble determining how to setup the variable file properly.
To test this, I setup a simple test like this:
# Setup a simple playbook to pull in the variable file then show the
encrypted data:
# The "validate_dev.yml" playbook:
---
- hosts: localhost
become: yes
gather_facts: no
tasks:
- name: "Read in the password file."
include_vars:
file: "the_secrets.yml"
- name: "The value of the_password variable."
debug:
msg: "The value of the_password is {{the_password}}."
# 1 - Setup the development and production encryption/decryption keys.
echo -n DevDecryptKey > dev_decrypt_key.txt
echo -n ProdDecryptKey > prod_decrypt_key.txt
# 2 - Build the vaulted "the_secrets.yml" file for dev and prod
echo -n "DevPassW0rd!" | ansible-vault encrypt_string --vault-id
dev@dev_decrypt_key.txt --stdin-name "the_password" | tee -a the_secrets.yml
echo -n "ProdPWD!" | ansible-vault encrypt_string --vault-id
prod@prod_decrypt_key.txt --stdin-name "the_password" | tee -a
the_secrets.yml
# 3 - Show the the_secrets.yml file:
# Note that it contains the "the_password" variable twice, the first with
the "dev" vault ID, the second with the "prod" vault ID.
the_password: !vault |
$ANSIBLE_VAULT;1.2;AES256;dev
38333335626439323236303337313065353533643537623737663932653864333466333231393830
3530626365303535396237643932373437323438643235660a373235336330663762323134393436
62643134316438326135366637623831666436633331333333343464636435373564613432373564
3664393736333062650a666531336463393162376335386438393664303265633937633935386666
6631
the_password: !vault |
$ANSIBLE_VAULT;1.2;AES256;prod
64326635306363636338353930313564353639326166326531613362383730633539343164376432
6462393037353831626361633536356135363235623039350a626561313137396330653738303665
64353963363538653039633739336266646333353433386130643538656266646537616361643437
3534373736323331640a323934316138323737636363303663353932383965386664353630383132
31656565313030633161306531363135623536383733663133353032393532313736
# 4 - Try to execute for the devn then prod keys
ansible-playbook -l localhost -e ansible_connection=local --vault-id
./prod_decrypt_key.txt ./validate_dev.yml
*THIS WORKS *- presumably because "the_password" variable was defined twice
and the second one (prod) overwrote it.
ansible-playbook -l localhost -e ansible_connection=local --vault-id
./dev_decrypt_key.txt ./validate_dev.yml
*THIS FAILS *- presumably because "the_password" variable was defined twice
and the second one (prod) overwrote it.
I assume the file containing the vaulted password ("the_secrets.yml") needs
to be setup differently, but I can't find where that format/usage is
documented.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/ea9af1b1-b871-4986-8b22-e0c4fa3c9a63%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
