DEVHIDE
Login Or Sign up

How to automate ansible vault decryption?

5.3k Views Asked by At

I want to automate the decryption of ansible vault and not to have to specify the vault location or password from the command line.

Mainly, I am looking for a solution what would work in a way that similar to how ~/.netrc works. When you put credentials there the tools (like curl, wget,...) will know to load them.

If you don't it the execution will have.

That's quite important because I need to be able to automate the execution of these ansible playbooks, so prompt for password is clearly not an option.

Also, I do not want to have to add --vault-password-file parameter to each playbook. Any ideas?

ansible ansible-vault
Original Q&A
3

There are 3 best solutions below

0
On BEST ANSWER

Much like the inventory, if vault-password-file has the executable bit set, Ansible will run it and use stdout as the password.

That allows you to write a script that wraps the password in PGP encryption, sits in a limited-access S3 bucket, uses AWS KMS, or whatever strikes your fancy.

0
On

You can define vault_password_file in your ansible.cfg.

But I do not see too much value in this. Looking at the .netrc manpage, I see the credentials are in the .netrc file and also written in plaintext. Furthermore it suggests:

This file resides in the user's home directory on the machine initiating the file transfer. Its permissions should be set to disallow read access by group and others.

For .netrc it makes sense because the goal is to provide access to other systems. But your goal is to provide access to a file.

Though it does not make too much sense to encrypt a file and then simply put the key for decrypting inside another file on the same host which only is protected by chmod. You could simply protect your secrets in Ansible with chmod in the first place. This has the same level of security and avoids some overhead.

1
On

There are several ways:

  1. As suggested, store your password file in lock (e.g. Azure container or any other location accessible using ssh keys). Fetch it on runtime and use --vault-password-file paramter. You can delete the file right after that.

  2. If you are using an automation server like Jenkins, you can store your password as Jenkins Credential. Retrieve the password on a fly and put it in a text file. Again, use --vault-password-file parameter. I wrote a small post on it here Stroing Vault key in jenkins

Related Questions in ANSIBLE

Related Questions in ANSIBLE-VAULT

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.