Hii
In one of my playbooks there is a task that is creating a token through an
API.
As the next task, I would like to store that token somewhere in my vars
hierarchy.
If it were a plain text variable that would be easy.
But I don't seem to be able to safe a vaulted file with a task.
One approach is with the pipe lookup and ansible-vault encrypt (seems a big
ugly/unsafe):
- name: save token
ansible.builtin.copy:
content: "{{ lookup('ansible.builtin.pipe', 'echo ' ~ token|quote ~ '
ansible-vault encrypt') }}"
dest: /tmp/out1
mode: 0600
This seems to work, and because ansible.cfg contains the right information
(vault_identity_list, vault_encrypt_identity) the encrypted content looks
good, when I'm debugging.
But the actual file contents are plain text again. It seems the copy module
decrypts the encrypted content again? How can I force the content to NOT be
decrypted?
Another approach is the vault filter, which seems to be a bit cleaner. I
thought this would do the trick:
- name: save token
ansible.builtin.copy:
content: "{{ token | ansible.builtin.vault }}"
dest: /tmp/out2
mode: 0600
But that didn't work, the filter insists on an actual secret value. I then
must do a separate lookup for the ansible vault password. But the vault
password file can also be an executable that sends the secret to stdout. I
don't want to have to implement that logic myself.
Is there a way for the ansible.builtin.vault filter to use the
vault_identity_list and vault_encrypt_identity that are in ansible.cfg?
To see if it worked at all, i just hard coded the actual secret like this:
- name: save token
ansible.builtin.copy:
content: "{{ token | ansible.builtin.vault('hackme') }}"
dest: /tmp/out2
mode: 0600
Just like the other example, this works but the content is again decrypted
by the copy module.
Any hints are appreciated :)
tnx
Dick
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLaV1HzkBjL_PR6d-D3kZ%3DQRkXdt%2BvfFsRENNJ0ZULwSyw%40mail.gmail.com.
