AKAI TSUKI

System development or Technical something

use Ansible vault.

Linux Ansible

about ansible version

check version.

# ansible --version
ansible 2.6.1
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Jul 13 2018, 13:06:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
#

use ansible-vault.

This is inventory file.

# cat hosts
[test]
node01 ansible_host=172.16.10.101 ansible_user=root
#

I encrypt host vars file.

Before:

# cat host_vars/node01.yml
---
ansible_ssh_pass: <pass>
#

I use ansible-vault command to encrypt this file for "Host Variables".

# ansible-vault encrypt host_vars/node01.yml
New Vault password:
Confirm New Vault password:
Encryption successful
#

After:

# cat host_vars/node01.yml
$ANSIBLE_VAULT;1.1;AES256
*snip*
#

After I encrypted inventory file by ansible-vault, I execute ansible without --ask-vault-pass option.
This result is ERROR.

# ansible-playbook -i hosts access.yml

PLAY [test] ****************************************************************************************
ERROR! Attempting to decrypt but no vault secrets found
#

so I execute ansible without --ask-vault-pass option

# ansible-playbook -i hosts access.yml --ask-vault-pass
Vault password:

PLAY [test] ****************************************************************************************

TASK [Gathering Facts] *****************************************************************************
ok: [node01]

TASK [Execute hostname] ****************************************************************************
changed: [node01]

TASK [Execute id] **********************************************************************************
changed: [node01]

TASK [Execute date] ********************************************************************************
changed: [node01]

PLAY RECAP *****************************************************************************************
node01                     : ok=4    changed=3    unreachable=0    failed=0

#

and I can also use --vault-password-file option.

# vi vault.txt
# ansible-playbook -i hosts access.yml --vault-password-file=./vault.txt

PLAY [test] ****************************************************************************************

*snip*

PLAY RECAP *****************************************************************************************
node01                     : ok=4    changed=3    unreachable=0    failed=0

#

or use --vault-id option.

# ansible-playbook -i hosts access.yml --vault-id vault.txt

PLAY [test] ****************************************************************************************

*snip*

PLAY RECAP *****************************************************************************************
node01                     : ok=4    changed=3    unreachable=0    failed=0

#