Ansible - Decrypting a vault encrypted file

Generally speaking, when you have sensitive data that needs to be encrypted, there are two main approaches.

  1. Store the encrypted data in a variable
  2. Copy the encrypted file to each managed node

By and far, option 1 is definitely preferred, and this article describes option 1. However, if for some reason option 1 is not feasible, refer to How to copy an encrypted file to each managed node.


Let's say you've a file named locker.yml that contains the following.

test_password: itsasecret
prod_password: hGn4!kD98A

 

And you have encrypted locker.yml using the ansible-vault create or ansible-vault encrypt command. Attempting to view the locker.yml file using the cat command will display something like this.

$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

 

The ansible-vault view command can be used to view the content of the locker.yml file.

Or you could create a variable that contains the enrypted vault string, like this. Or the "bar" variable could be defined some other ways, such as in the vars/main.yml file, or in a group_vars file. Refer to Getting Started with Variables to understand the many different ways that the "bar" variable could be defined. 

---
- hosts: localhost
  vars:
    bar: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66303833643731313633343266616162613965636161313534376563383639646463376630626635
          3136316663626536303061333531303234616562323637330a373633393736393863373566623261
          65643764336263613730666665663763383063386137383331386136366232666637626566653032
          3933393061666138650a656238386665343838613833643435623932306539633138376533613039
          6531
  tasks:
    - name: display locker.yml
      debug:
        var: bar
...

 

The ansible-playbook command with the --ask-vault-pass flag . . .

ansible-playbook foo.yml --ask-vault-pass

 

Should prompt you for the vault password that was used to encrypt locker.yml.

Vault password:

 

Assuming you are able to provide the valid vault password file, something like this should be returned.

TASK [display locker.yml]
ok: [localhost] => {
    "bar": "test_password: itsasecret\n\nprod_password: hGn4!kD98A\n"
}

 

Better yet, the password that was used to encrypt locker.yml could be appended to a file, such as .vault_password.txt.

echo "itsasecret" > .vault_password.txt

 

And then update .vault_password.txt so that only the owner of the .vault_password.txt file can read and write to the .vault_password.txt file.

chmod 0600 .vault_password.txt

 

And now the --vault-password-file command line option can be used.

ansible-playbook foo.yml --vault-password-file /usr/local/vault/.vault_password.txt

 

Be aware that if you attempt to use the split operator on the bar variable. the following will be returned. Refer to Resolve "ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode object has no attribute split" for the steps on how to resolve this issue using the string filter.

TASK [display the content of the 'passwords' variable]
fatal: [localhost]: FAILED! => {"msg": "
The task includes an option with an undefined variable.
The error was: 'ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode object' has no attribute 'split'\n\n
The error appears to be in '/usr/local/ansible/testing.yml': line 17, column 7, but may be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: display the contents of the 'passwords' variable
        ^ here

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter fd876 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |