Hii
In one of my playbooks there is a task that is creating a token through an
API.
As the next task, I would like to store that token somewhere in my vars
hierarchy.
If it were a plain text variable that would be easy.
But I don't seem to be able to safe a vaulted file with a task.
One approach is with the pipe lookup and ansible-vault encrypt (seems a big
ugly/unsafe):
- name: save token
ansible.builtin.copy:
content: "{{ lookup('ansible.builtin.pipe', 'echo ' ~ token|quote ~ '
ansible-vault encrypt') }}"
dest: /tmp/out1
mode: 0600
This seems to work, and because ansible.cfg contains the right information
(vault_identity_list, vault_encrypt_identity) the encrypted content looks
good, when I'm debugging.
But the actual file contents are plain text again. It seems the copy module
decrypts the encrypted content again? How can I force the content to NOT be
decrypted?
Another approach is the vault filter, which seems to be a bit cleaner. I
thought this would do the trick:
- name: save token
ansible.builtin.copy:
content: "{{ token | ansible.builtin.vault }}"
dest: /tmp/out2
mode: 0600
But that didn't work, the filter insists on an actual secret value. I then
must do a separate lookup for the ansible vault password. But the vault
password file can also be an executable that sends the secret to stdout. I
don't want to have to implement that logic myself.
Is there a way for the ansible.builtin.vault filter to use the
vault_identity_list and vault_encrypt_identity that are in ansible.cfg?
To see if it worked at all, i just hard coded the actual secret like this:
- name: save token
ansible.builtin.copy:
content: "{{ token | ansible.builtin.vault('hackme') }}"
dest: /tmp/out2
mode: 0600
Just like the other example, this works but the content is again decrypted
by the copy module.
Any hints are appreciated :)
tnx
Dick
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLaV1HzkBjL_PR6d-D3kZ%3DQRkXdt%2BvfFsRENNJ0ZULwSyw%40mail.gmail.com.
