Bootstrap FreeKB - Ansible - ansible-vault encrypt_string command
Ansible - ansible-vault encrypt_string command

Updated:   |  Ansible articles

The ansible-vault command can be used to perform a number of tasks.

Additionally, there are a few command line options to be aware of.

 

The ansible-vault encrypt_string command creates an encrypted string. The encrypted string is stored as a key value pair. In this example, a key named "foo" is created, and value "bar" is encrypted.

ansible-vault encrypt_string 'bar' --name 'foo'

 

You will be prompted to create the vault password.

New Vault password:

 

Or, to avoid being prompted for the vault password, you could create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .

ansible-vault encrypt_string 'bar' --name 'foo' --vault-password-file /usr/local/vault/.vault_password.txt

 

Or the --vault-id command line option (if you want to use different passwords) 

ansible-vault encrypt_string 'bar' --name 'foo' --vault-id test@/usr/local/ansible/vault/.vault_password.txt

 

After providing the valid vault password, something like this should be displayed.

foo: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          36363439653836626337336232306464623531653330313661306133623432333832613666323464
          3435373066366662653064393035343266363131613034310a383934373338636564616232623264
          64336238306434663434396433313437386566386466336162373861353063646531616633613965
          3461326138313833610a393161646166303362343835613566386237663636646333323236333635
          3536
Encryption successful

 

Almost always, you are going to redirect the encrypted string to a file.

ansible-vault encrypt_string 'bar' --name 'foo' > foo.txt

 

foo.txt should contain the following.

foo: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          36363439653836626337336232306464623531653330313661306133623432333832613666323464
          3435373066366662653064393035343266363131613034310a383934373338636564616232623264
          64336238306434663434396433313437386566386466336162373861353063646531616633613965
          3461326138313833610a393161646166303362343835613566386237663636646333323236333635
          3536

 

On the Linux command line, here is how you would decrypt the encrypted string.

echo -e '$ANSIBLE_VAULT;1.1;AES256\n36363439653836626337336232306464623531653330313661306133623432333832613666323464\n3435373066366662653064393035343266363131613034310a383934373338636564616232623264\n64336238306434663434396433313437386566386466336162373861353063646531616633613965\n3461326138313833610a393161646166303362343835613566386237663636646333323236333635\n3536' | ansible-vault decrypt

 

Which should return the following.

Decryption successful
bar

 

In a playbook, the set_fact module and the lookup plugin can be used to store the content of the file that contains the encrypted string (foo.txt in this example) in a variable ("foo" in this example).

- set_fact:
    foo: "{{ lookup('file', 'foo.txt') }}"

 

The debug module could be used to validate that the "foo" variable contains the encrypted string.

- name: "output the 'foo' variable"
  debug: 
    var: foo

 

Which should output something like this.

TASK [output the 'out' variable]
ok: [server1.example.com] => {
    "foo": "foo: !vault |\n          $ANSIBLE_VAULT;1.2;AES256;test\n          31393261616237373231363237633237373165393063383766643265623264356366303037363262\n          3764343537623566376235306562306633616333333361350a303563343938636236336466373366\n          34363363633261396466323234393162613137343737393366616630343561653433643935383536\n          6436323264653439360a333838383837333636323933306438613164346636383336616361623836\n          3066"
}

 

shell module could be used to invoke the ansible-vault command. In this example, the register parameter is used to store the output in the "out" variable. In this scenario, you most definitely are going to want to include the --vault-password-file or --vault-id option so that the script doesn't halt and prompt for the vault password.

- name: "ansible-vault view foo.txt"
  shell: "ansible-vault view --vault-id test@/usr/local/ansible/vault/.vault_password.txt foo.txt"
  register: out

 

The debug module could be used to validate that the "out" variable contains the plain text content of foo.txt.

- name: "output the 'out' variable"
  debug: 
    var: out

 

Which should output something like this.

TASK [output the 'out' variable]
ok: [server1.example.com] => {
    "msg": "Hello World"
}

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter b35cd9 in the box below so that we can be sure you are a human.