Returns decrypted text from cipher text using secret key file. Allows to get rid of plain text passwords in ansible repository without using ansible-vault nor encrypting whole files
Configuration options in ansible.cfg. Please notice section name filters:
[filters]
vault_filter_key = vault.key # might be relative or absolute path
vault_filter_salt = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 # generate random salt with '--salt' option
vault_filter_iterations = 1000000 # PBKDF2-SHA512 iterations
vault_filter_generate_key = yes # automatically generate vault key during playbook runtime
[defaults]
vault_password_file = vault.pass # this is from ansible-vault, if specified vault filter will use this password to generate vault filter key
-
generate random salt and put it to ansible.cfg file
python filter_plugins/vault.py --salt -
generate key file (you will be asked for password if vault_password_file is not defined)
python filter_plugins/vault.py --key -
encrypt password to be used in hostvar
python filter_plugins/vault.py --encrypt my_secret_password_to_database -
store encrypted password in hostvars
vars:
db_password: {{ 'gAAAAABWasKsAvkyCqmc_8p57vGHOHkAG4nU4vo8t6n6C-j3hItbiwC1BRLnrHBJtrDP1Rz2wG1HULRG_zkXF596H0dn-69S92Ky3ixDOCAGesFptH1-glQ=' | vault }}
- when needed you may decrypt password
python filter_plugins/vault.py --decrypt gAAAAABWasKsAvkyCqmc_8p57vGHOHkAG4nU4vo8t6n6C-j3hItbiwC1BRLnrHBJtrDP1Rz2wG1HULRG_zkXF596H0dn-69S92Ky3ixDOCAGesFptH1-glQ=
If you set you set vault_filter_generate_key = yes and vault_password_file option is present and vault filter salt is defined in ansible.cfg, vault key file will be generated automatically without any message while playbook is running. This option can be useful with Ansible Tower. It might be a good idea to remove vault key in post_tasks in your playbook.
password_crypt: gAAAAABWasKsAvkyCqmc_8p57vGHOHkAG4nU4vo8t6n6C-j3hItbiwC1BRLnrHBJtrDP1Rz2wG1HULRG_zkXF596H0dn-69S92Ky3ixDOCAGesFptH1-glQ=
password_plain: "{{ password_crypt | vault }}"
password: "{{ 'gAAAAABWasKsAvkyCqmc_8p57vGHOHkAG4nU4vo8t6n6C-j3hItbiwC1BRLnrHBJtrDP1Rz2wG1HULRG_zkXF596H0dn-69S92Ky3ixDOCAGesFptH1-glQ=' | vault }}"
It is completely safe to keep salt value in ansible.cfg. You can push it to your repository.
It is NOT safe to keep vault key in repository! Add it to .gitignore