Ansible - --vault-id command line option

The ansible-vault command can be used to perform a number of tasks.

Additionally, there are a few command line options to be aware of.

 

This assumes you have created the Ansible Vault password file. Let's say the password file is:

/usr/local/vault/.vault_password.txt

 

Let's say .vault_password.txt contains the following.

test:testpassword
prod:prodpassword

 

A vault password file can be used to provide the vault password when:

 

Let's say foo.txt was created using --vault-id with the "test" password.

~]$ ansible-vault create --vault-id prod@/usr/local/ansible/vault/.vault_password.txt foo.txt

 

In this example, foo.txt will contain the "test" id.

~]$ cat foo.txt
$ANSIBLE_VAULT;1.2;AES256;test
38626262613533326438383838363032346366643231633838393661633061633830383832643062
6666663233666435636165323038653462343732343264310a616532376238616537613832363565
63336561303230626332326436303830356335343061386333636131386435316633396464353832
3631303831333164610a393266346630313635313831626639303961663330333736393236373032
3062

 

You can view foo.txt by including the --vault-id command line option and you will not be prompted for the vault password.

ansible-vault --vault-id test@/usr/local/vault/.vault_password.txt view foo.txt

 

Or, let's say you are using the --ask-pass flag with the ansible-playbook command.

ansible-playbook foo.yml --ask-pass

 

You could instead use the --vault-password-file command line option. In this example, .vault_password.txt would be an unencrypted cleartext file that contains the password used to make an SSH connection to the managed nodes.

ansible-playbook foo.yml --vault-password-file /usr/local/vault/.vault_password.txt

 

The great advantage to this approach is that you wouldn't need to use the --vault-password-file or --vault-id command line options.

ansible-vault view foo.txt


Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter dce7c in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |