Ansible/Vaults: Difference between revisions

From charlesreid1

No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 11: Line 11:
This encrypted data can be stored in a public place, as it can only be decrypted with the appropriate passphrase.
This encrypted data can be stored in a public place, as it can only be decrypted with the appropriate passphrase.


To encrypt, call <code>ansible-vault create foo.yml</code>
Side note: this is a useful guide: https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04


To edit, call <code>ansible-vault edit foo.yml</code>


To view, call <code>ansible-vault view foo.yml bar.yml baz.yml</code>
==Basic Usage==


==Basic usage==
There are actually two ways to use encrypted variables: one is to create a standalone vault file; the other is to embed encrypted variables directly in yaml files.


===Encrypting a string using ansible-vault===
We cover both methods below.


To encrypt a string, use the ansible-vault encrypt_string command.
===Standalone Vault File===


Link: https://docs.ansible.com/ansible/latest/cli/ansible-vault.html#ansible-vault-encrypt-string
To create a vault, call <code>ansible-vault create foo.yml</code>


===Using a playbook with vault encrypted data===
This will prompt you for a password
 
To edit a vault, call <code>ansible-vault edit foo.yml</code>
 
To view a vault, call <code>ansible-vault view foo.yml bar.yml baz.yml</code>
 
===Encrypted data embedded in yaml===
 
To embed encrypted data directly into yaml, use the command line to encrypt a string, then copy and paste into the yaml file.
 
In the following command lines, the <code>--vault-id a_password_file</code> bit just specifies that
 
<pre>
ansible-vault encrypt_string --vault-id  a_password_file  'foobar' --name 'the_secret'
^^^^^^^^^^^  ^^^^^^^^^^^^^              ^^^^^^^^^^^^^^^  ^^^^^^          ^^^^^^^^^
the command  the action                name of a file    secret value  secret key
                                        containing just
                                        plaintext password
 
</pre>
 
==Using a playbook with vault encrypted data==


Example of a call to a playbook that uses vault-encrypted data:
Example of a call to a playbook that uses vault-encrypted data:

Latest revision as of 20:18, 8 December 2018

Ansible Vaults are ways of storing encrypted, sensitive data like passwords or keys.

Link: https://docs.ansible.com/ansible/latest/user_guide/vault.html

How does it work

To use ansible vault, you execute a command to tell ansible you want to create a vault (an encrypted chunk of plain text).

Ansible prompts you for a password, then opens a text editor, where you enter your sensitive information. This way, your sensitive information will only exist in a temporary buffer. When you are done editing, you save and close, and the file is automatically encrypted before being written to disk.

This encrypted data can be stored in a public place, as it can only be decrypted with the appropriate passphrase.

Side note: this is a useful guide: https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04


Basic Usage

There are actually two ways to use encrypted variables: one is to create a standalone vault file; the other is to embed encrypted variables directly in yaml files.

We cover both methods below.

Standalone Vault File

To create a vault, call ansible-vault create foo.yml

This will prompt you for a password

To edit a vault, call ansible-vault edit foo.yml

To view a vault, call ansible-vault view foo.yml bar.yml baz.yml

Encrypted data embedded in yaml

To embed encrypted data directly into yaml, use the command line to encrypt a string, then copy and paste into the yaml file.

In the following command lines, the --vault-id a_password_file bit just specifies that 

ansible-vault encrypt_string --vault-id  a_password_file  'foobar' --name 'the_secret'
^^^^^^^^^^^   ^^^^^^^^^^^^^              ^^^^^^^^^^^^^^^   ^^^^^^          ^^^^^^^^^
the command   the action                 name of a file     secret value   secret key
                                         containing just
                                         plaintext password

Using a playbook with vault encrypted data

Example of a call to a playbook that uses vault-encrypted data: 

ansible-playbook site.yml --ask-vault-pass

Alternative that uses a file containing the password: 

ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt

Third alternative is to use an environment variable: 

ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt ansible-playbook site.yml



Flags


Defcon.png
Ansible
Ansible is a Python library for managing IT and compute infrastructure.

Ansible  · Category:Ansible


Ansible Configuration

Config file: Ansible/Configuration

Secrets and Sensitive Info: Ansible/Security  · Ansible/Vaults


Ansible Playbooks

Basics: Ansible/Playbooks

Examples: Ansible/Nginx Playbook (simple)  · Ansible/Full Stack Playbook (advanced)


Ansible Hosts and Inventory Control

All topics in Ansible Hosts: Ansible/Hosts

Splitting large host files into subfiles: Ansible/Splitting Hosts File

Automatically naming hosts: Ansible/Host Naming

Grouping Hosts: Ansible/Groups

Assigning Variables to Groups: Ansible/Group Variables

Roles: Ansible/Roles


Ansible and Vagrant (Local)

Ansible/Vagrant  · Ansible/Vagrant/Static Inventory  · Ansible/Vagrant/Dynamic Inventory


Ansible and EC2 (Cloud)

Ansible/EC2  · Ansible/EC2/Static Inventory  · Ansible/EC2/Dynamic Inventory


Best Practices

Ansible/Directory Layout  · Ansible/Directory Layout/Details

Ansible/Separate Playbooks by Role

Ansible/Tag Inventory with Environment

Ansible/Group by Distribution

Ansible/Variables and Vaults


Ansible Galaxy

Ansible/Galaxy


Flags  · Template:AnsibleFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Ansible/Vaults&oldid=25694"