Образовательный проект «SnakeProject» Михаила Козлова

⇒ FreeBSD and Nix ⇐

CISCO

Voice(Asterisk\Cisco)

Microsoft

Powershell

Python

SQL\T-SQL

1С

Общая

WEB Разработка

ORACLE SQL \ JAVA

Мото

Стрельба, пневматика, оружие

Саморазвитие и психология

AnsibleVault - безопасное хранение данных для аутентификации

AnsibleVault - безопасное хранение данных для аутентификации

Создать файл с зашифрованным содержимым

# ansible-vault create test.txt
New Vault password:
Confirm New Vault password:

# cat test.txt
$ANSIBLE_VAULT;1.1;AES256
63333431343661326139393236396261333230663730396161363461323734613164636439373634
6630636336393834373439356261326131396635313336380a656538613362653464356663353734
62343364313162356133336265636532396530383536353639393538333336396663346637623038
6263396536336337310a333732336664353939363163383036373463326562393861303235343138
3636

# ansible-vault view test.txt
Vault password:
123
321
111

Зашифровать существующий файл

# echo "333" > test.txt

# ansible-vault encrypt test.txt

# cat test.txt
$ANSIBLE_VAULT;1.1;AES256
35356632643332316166373931316665343234366663626635613236336364616634633730356562
6232306461396233336331363362626661343163396333320a643533316661333634326134666539
33396631626135663039323937356539663435653464663833613137616266386239313134343238
3731633737626230390a313331363337333239346232386136386561666464363135366131363832
3266

# ansible-vault view test.txt
Vault password:
333

Редактировать существующий зашифрованный файл

# ansible-vault edit test.txt
Vault password:

Изменить пароль шифрования

# ansible-vault rekey test.txt
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful

Расшифровать файл

# ansible-vault decrypt test.txt
Vault password:
Decryption successful

Выполнение зашифрованного playbook через флаг –ask-vault-pass

# ansible-playbook --ask-vault-pass <vault-encrypted-playbook-file>.yml

Пример ниже

inventory.ini
[my-localhost]
127.0.0.1 ansible_connection=local

# ansible-vault create playbook.yml
New Vault password:
Confirm New Vault password:
---
- name: Basic tasks
  hosts: my-localhost
  tasks:
    - name: Execute uptime command
      command: uptime
      register: uptime_result
    - debug: var=uptime_result.stdout_lines

# ansible-playbook -i inventory.ini playbook.yml
[WARNING]: Invalid characters were found in group names but not replaced, use
-vvvv to see details
ERROR! Attempting to decrypt but no vault secrets found

# ansible-playbook --ask-vault-pass -i inventory.ini playbook.yml
Vault password:
[WARNING]: Invalid characters were found in group names but not replaced, use
-vvvv to see details
PLAY [Basic tasks] *************************************************************
TASK [Gathering Facts] *********************************************************
ok: [127.0.0.1]
TASK [Execute uptime command] **************************************************
changed: [127.0.0.1]
TASK [debug] *******************************************************************
ok: [127.0.0.1] => {
    "uptime_result.stdout_lines": [
        " 12:08:41 up 57 days, 16:32,  1 user,  load average: 1.00, 0.46, 0.33"
    ]
}
PLAY RECAP *********************************************************************
127.0.0.1 : ok=4 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Использование файла паролей

# echo '111' > /etc/.ansible_vault_pass

# ansible-playbook --vault-password-file=/etc/.ansible_vault_pass -i inventory.ini playbook.yml
[WARNING]: Invalid characters were found in group names but not replaced, use
-vvvv to see details
PLAY [Basic tasks] *************************************************************
TASK [Gathering Facts] *********************************************************
ok: [127.0.0.1]
TASK [Execute uptime command] **************************************************
changed: [127.0.0.1]
TASK [debug] *******************************************************************
ok: [127.0.0.1] => {
    "uptime_result.stdout_lines": [
        " 12:08:41 up 57 days, 16:32,  1 user,  load average: 1.00, 0.46, 0.33"
    ]
}
PLAY RECAP *********************************************************************
127.0.0.1 : ok=4 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Переменная среды

export ANSIBLE_VAULT_PASSWORD_FILE=/etc/.ansible_vault_pass

ansible.cfg
[defaults]
........
vault_password_file = /etc/.ansible_vault_pass

Шифрование чувствительных переменных

Используем в продакшн для шифрования паролей, ключей и т.п.

# ansible-vault create vars/vars.yml
New Vault password:
Confirm New Vault password:
pass: mypass
api: myapi

playbook.yml
---
- name: Basic tasks
  hosts: my-localhost
  tasks:
    - name: Include vars
      include_vars:
        dir: vars
    - name: Execute command
      command: echo {{ pass }} {{ api }}
      register: command_result
    - debug: var=command_result.stdout_lines

# ansible-playbook --vault-password-file=.ansible_vault_pass -i inventory.ini playbook.yml
[WARNING]: Invalid characters were found in group names but not replaced, use
-vvvv to see details
PLAY [Basic tasks] *************************************************************
TASK [Gathering Facts] *********************************************************
ok: [127.0.0.1]
TASK [Include vars] ************************************************************
ok: [127.0.0.1]
TASK [Execute command] *********************************************************
changed: [127.0.0.1]
TASK [debug] *******************************************************************
ok: [127.0.0.1] => {
    "command_result.stdout_lines": [
        "mypass myapi"
    ]
}
PLAY RECAP *********************************************************************
127.0.0.1 : ok=4 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Комментарии пользователей