Reputation: 151
How to automatically pass vault password when running Ansible playbook?
I have an Ansible playbook with vault, and I want to ask for vault password through the prompt box in my web interface and then pass the posted password when running ansible playbook. I tried to use:
echo $password | ansible-playbook test.yml --ask-vault-pass
to pass the password to the playbook, but it doesn't work, the error message is:
"msg": "Attempting to decrypt but no vault secrets found"
I don't want to store password in file for some resons and now I just want to try to automatically pass password to the playbook while running it. Is there any advice to me? The ansible version is 2.4.
Upvotes: 15
Views: 35773
Answers (4)
Reputation: 4963
You can use --vault-password-file with a file descriptor:
ansible-playbook test.yml --vault-password-file <(echo somepassword)
Upvotes: 7
Reputation: 53
Here's how I am doing things, and it works well. My command line looks like this:
[prompt/]$ansible-playbook -i <inventory>, /mnt/m/NetworkGetters/get_vpn_status.yml --extra-vars varsfilepath=/mnt/m/NetworkVars/host_vars/test-oci-test-vpn-config.yml
My sanitized passwords.yml (vault file) looks like this:
---
credentials:
base: &base
host: "{{ansible_host}}"
timeout: 30
transport: cli
svc_rhelsystemrw:
<<: *base
username: svc_rhelsystemrw
password: dWERE#@kds23
My playbooks follow this convention:
name: Set VPN Configuration
hosts: all
connection: local
gather_facts: no
vars_files:
- "{{ varsfilepath }}"
- "/etc/ansible/NetworkVars/passwords.yml"
vars:
# ssh_auth credentials come from ansible vault
provider_rw:
username: "{{ credentials['svc_rhelsystemrw'].username }}"
password: "{{ credentials['svc_rhelsystemrw'].password }}"
tasks:
- name: Capture Pre-change Configuration
ios_command:
provider: "{{ provider_rw }}"
commands:
- show running-config
register: running_config_before
tags: vpn
- debug:
var: running_config_before.stdout
tags: vpn
Upvotes: 2
Reputation: 11
@All Make sure you are adding vault_password_file = into the [defaults] section of ansible.cfg file.
I was facing the same issue when I added vault_password_file = in another section which was resolved after moving it into [defaults]
try your luck if that helps.
Upvotes: 1
Reputation: 68449
You can use a script instead of providing the password through an interactive interface.
Here's an example for your use case:
Save
path_to/vault_secret.shfile (add permissions to execute) with the following content:#!/bin/bash echo $passwordExecute:
ansible-playbook test.yml --vault-password-file path_to/vault_secret.sh
Alternatively:
Add to
ansible.cfg:[defaults] vault_password_file=path_to/vault_secret.shExecute:
ansible-playbook test.yml
Upvotes: 19
Related Questions
- Passing password from vault to unix script
- ansible-playbook without --ask-vault-pass?
- pass password to a Python script on prompt
- Ansible passing vault password file to playbook
- How to define a script that provides the become password in ansible
- Ansible Vault Password in variable
- Ansible - dynamically prompt vault password when needed
- Setting vault password in Ansible Tower
- Ansible-vault doesn't work with --vault-password-file
- Ansible playbook with vault file