Bootstrap FreeKB - Ansible - --ask-vault-pass command line option
Ansible - --ask-vault-pass command line option

Updated:   |  Ansible articles

If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.

The ansible-vault command can be used to perform a number of tasks.

Additionally, there are a few command line options to be aware of.

  • --ask-vault-pass - prompt for the vault password
  • --vault-id - use a specific users password in a file
  • --vault-password-file - use a single password in a file

 

For example, let's say ping.yml is unencrypted. When unencrypted, ping.yml can be viewed using common commands, such as cat.

cat ping.yml

 

Let's say ping.yml contains the following.

---
- hosts: all
  gather_facts: false
  tasks:
    - ping:
...

 

ping.yml can be invoked using the ansible-playbook command.

ansible-playbook ping.yml

 

Which should return something like this.

PLAY [all] 

TASK [ping] 
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]

PLAY RECAP 
server1.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server2.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server3.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

 

The ansible-vault encrypt command can be used to encrypt ping.yml.

ansible-vault encrypt ping.yml

 

You will be prompted to create a new vault password.

New Vault password:

 

Attempting to view the file using a normal command such as cat will display something like this.

$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

 

Now when running ping.yml using the ansible-playbook command, the --ask-vault-pass option can be used.

ansible-playbook ping.yml --ask-vault-pass

 

And you will be prompted for the vault password.

Vault password:

 

Or, to avoid being prompted for the vault password, you could create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .

ansible-playbook ping.yml --vault-password-file /usr/local/ansible/vault/.vault_password.txt

 

Or the --vault-id command line option (if you want to use different passwords) 

ansible-playbook ping.yml --vault-id test@/usr/local/ansible/vault/.vault_password.txt

 

Or you could set the vault_password_file directive in your ansible.cfg file.

[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt

 

In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass--vault-password-file--vault-id).

ansible-playbook ping.yml

 

Which should return something like this, which shows the same exact result with the encrypted ping.yml file as compared to the non-encrypted ping.yml file.


PLAY [all] 

TASK [ping] 
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]

PLAY RECAP 
server1.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server2.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server3.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 6e013a in the box below so that we can be sure you are a human.