Hii In one of my playbooks there is a task that is creating a token through an API. As the next task, I would like to store that token somewhere in my vars hierarchy. If it were a plain text variable that would be easy.
But I don't seem to be able to safe a vaulted file with a task. One approach is with the pipe lookup and ansible-vault encrypt (seems a big ugly/unsafe): - name: save token ansible.builtin.copy: content: "{{ lookup('ansible.builtin.pipe', 'echo ' ~ token|quote ~ ' ansible-vault encrypt') }}" dest: /tmp/out1 mode: 0600 This seems to work, and because ansible.cfg contains the right information (vault_identity_list, vault_encrypt_identity) the encrypted content looks good, when I'm debugging. But the actual file contents are plain text again. It seems the copy module decrypts the encrypted content again? How can I force the content to NOT be decrypted? Another approach is the vault filter, which seems to be a bit cleaner. I thought this would do the trick: - name: save token ansible.builtin.copy: content: "{{ token | ansible.builtin.vault }}" dest: /tmp/out2 mode: 0600 But that didn't work, the filter insists on an actual secret value. I then must do a separate lookup for the ansible vault password. But the vault password file can also be an executable that sends the secret to stdout. I don't want to have to implement that logic myself. Is there a way for the ansible.builtin.vault filter to use the vault_identity_list and vault_encrypt_identity that are in ansible.cfg? To see if it worked at all, i just hard coded the actual secret like this: - name: save token ansible.builtin.copy: content: "{{ token | ansible.builtin.vault('hackme') }}" dest: /tmp/out2 mode: 0600 Just like the other example, this works but the content is again decrypted by the copy module. Any hints are appreciated :) tnx Dick -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLaV1HzkBjL_PR6d-D3kZ%3DQRkXdt%2BvfFsRENNJ0ZULwSyw%40mail.gmail.com.