Bootstrap FreeKB - Ansible - Decrypting a vault encrypted file
Ansible - Decrypting a vault encrypted file

Updated:   |  Ansible articles

Generally speaking, when you have sensitive data that needs to be encrypted, there are two main approaches.

  1. Store the encrypted data in a variable
  2. Copy the encrypted file to each managed node

By and far, option 1 is definitely preferred, and this article describes option 1. However, if for some reason option 1 is not feasible, refer to How to copy an encrypted file to each managed node.


Let's say you've a file named locker.yml that contains the following.

test_password: itsasecret
prod_password: hGn4!kD98A

 

And you have encrypted locker.yml using the ansible-vault create or ansible-vault encrypt command. Attempting to view the locker.yml file using the cat command will display something like this.

$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

 

The ansible-vault view command can be used to view the content of the locker.yml file.

Or you could create a variable that contains the enrypted vault string, like this. Or the "bar" variable could be defined some other ways, such as in the vars/main.yml file, or in a group_vars file. Refer to Getting Started with Variables to understand the many different ways that the "bar" variable could be defined. 

---
- hosts: localhost
  vars:
    bar: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66303833643731313633343266616162613965636161313534376563383639646463376630626635
          3136316663626536303061333531303234616562323637330a373633393736393863373566623261
          65643764336263613730666665663763383063386137383331386136366232666637626566653032
          3933393061666138650a656238386665343838613833643435623932306539633138376533613039
          6531
  tasks:
    - name: display locker.yml
      debug:
        var: bar
...

 

The ansible-playbook command with the --ask-vault-pass flag . . .

ansible-playbook foo.yml --ask-vault-pass

 

Should prompt you for the vault password that was used to encrypt locker.yml.

Vault password:

 

Assuming you are able to provide the valid vault password file, something like this should be returned.

TASK [display locker.yml]
ok: [localhost] => {
    "bar": "test_password: itsasecret\n\nprod_password: hGn4!kD98A\n"
}

 

Better yet, the password that was used to encrypt locker.yml could be appended to a file, such as .vault_password.txt.

echo "itsasecret" > .vault_password.txt

 

And then update .vault_password.txt so that only the owner of the .vault_password.txt file can read and write to the .vault_password.txt file.

chmod 0600 .vault_password.txt

 

And now the --vault-password-file command line option can be used.

ansible-playbook foo.yml --vault-password-file /usr/local/vault/.vault_password.txt

 

Be aware that if you attempt to use the split operator on the bar variable. the following will be returned. Refer to Resolve "ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode object has no attribute split" for the steps on how to resolve this issue using the string filter.

TASK [display the content of the 'passwords' variable]
fatal: [localhost]: FAILED! => {"msg": "
The task includes an option with an undefined variable.
The error was: 'ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode object' has no attribute 'split'\n\n
The error appears to be in '/usr/local/ansible/testing.yml': line 17, column 7, but may be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: display the contents of the 'passwords' variable
        ^ here

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 884f0c in the box below so that we can be sure you are a human.