Sreejith
Flight Engineer Flight Engineer
Flight Engineer
  • 11.7K Views

Vault IDs in Ansible 2.4

Conventions: Commands executed in bash and the outputs are shown in bold. Some commands' execution are shown as screenshots to avoid possible truncations and formatting issues.

Ansible Vault IDs

Starting with Ansible 2.4 and above, vault ids are supported.


Vault IDs help in encrypting different files with different passwords to be referenced inside a playbook. Prior to Ansible 2.4, only one vault password could be used in each Ansible run, forcing to encrypt
all files using the same vault password.

NOTE: You can't encryt the same file / string using two different passphrase. Vault IDs help in using different passphrases for different files, rather than using the same passphrase which was the case prior to Ansibe 2.4

First and foremost, Vault IDs need to be pre-created and referenced (best practice) inside your ansible.cfg file

The below excerpt is from 'ansible-config list' for DEFAULT_VAULT_IDENTITY_LIST

DEFAULT_VAULT_IDENTITY_LIST:
default: []
description: A list of vault-ids to use by default. Equivalent to multiple --vault-id
args. Vault-ids are tried in order.
env:
- {name: ANSIBLE_VAULT_IDENTITY_LIST}
ini:
- {key: vault_identity_list, section: defaults}
name: Default vault ids
type: list
yaml: {key: defaults.vault_identity_list}

You can reference multiple vault ids and the corresponding vault files (which has your passphrase) in ansible.cfg using the vault_identity_list key under defaults section, as seen from the output above.

My ansible.cfg has the below configuration.

[sanujan@fedora ansible]$ cat ansible.cfg
[defaults]
inventory = inventory
remote_user = root

vault_identity_list = inline@~/ansible/.inline_pass , files@~/ansible/.files_pass

I've pre-created two vault password file with appropriate permissions under my $HOME/ansible directory.

vault_identity_list = inline@~/ansible/.inline_pass , files@~/ansible/.files_pass

maps vault-id inline to /home/sanujan/ansible/.inline_pass
and vauld-id files to /home/sanujan/ansible/.files_pass

The contents of those password files are shown below.

[sanujan@fedora ansible]$ cat ~/ansible/.files_pass
REDHAT

[sanujan@fedora ansible]$ cat ~/ansible/.inline_pass
redhat

[sanujan@fedora ansible]$ ls -l ~/ansible/.files_pass ~/ansible/.inline_pass
-r--------. 1 sanujan sanujan 7 Sep 23 06:25 /home/sanujan/ansible/.files_pass
-r--------. 1 sanujan sanujan 7 Sep 23 06:25 /home/sanujan/ansible/.inline_pass

I've a sample playbook being created which has an encrypted text and a reference to an encrypted vars file (vars/vars.yml)

vault_encryption.ymlvault_encryption.yml

How the string and vars file are encrypted is detailed below.

Encrypting a file to be included/referenced inside the playbook

[sanujan@fedora ansible]$ ansible-vault encrypt --encrypt-vault-id files vars/vars.yml

--encrypt-vault-id files : This is how we reference the vault id 'files' to be used for encrypting the file vars/vars.yml in the playbook directory.

The above command doesn't prompt us for a password as it references the id 'files' from ansible.cfg which maps to ~/ansible/.files_pass, where in we've the passphrase 'REDHAT' hardcoded.

In the vars/vars.yml file, a variable is initialized with the key 'course' and value 'DO457'.

To view the encrypted file, you can use 'view' option with ansible-vault. Here the passphrase is automatically taken by ansible, as its referenced inside ansible.cfg

[sanujan@fedora ansible]$ ansible-vault view vars/vars.yml
course: DO457

Encryping a string to be used inside a playbook

[sanujan@fedora ansible]$ ansible-vault encrypt_string --encrypt-vault-id inline -n testing this-is-the-secret

--encrypt-vault-id inline : This is how we reference the vault id 'inline' to be used for encrypting the string 'this-is-the-secret'.
-n testing : testing is the name of the variable which holds the value 'this-is-the-secret' (without quotes)

The above command doesn't prompt us for a password as it references the id 'inline' from ansible.cfg which maps to ~/ansible/.inline_pass, where in we've the passphrase 'redhat' hardcoded.

The screenshot of the above command output is given below, to avoid any possible issues with YAML formating. 

encrypt_string_output.png

As you can see, the output starts with the variable name 'testing', followed by '!vault |' indicating its vault encrypted.
1.2 - the vault version which supports vault id.
AES256 - AES cipher in 256bits.
inline - vault id in use.

NOTE: the vault id is visible in the header.

Now you can copy paste the contents including the variable name, here 'testing', all the way down to line before 'Encryption Successful'

Executing the playbook

[sanujan@fedora ansible]$ ansible-playbook vault_encryption.yml

ansible_playbook_execution_output.png

Prompting the vault password during playbook execution

If vault_identity_list key is referenced in ansible.cfg, ansible will always read those password files in the order (from left to right), to check for possible passphrase matches (even disregarding the vault ids before ~ character

Spoiler
vault_identity_list = inline@~/ansible/.inline_pass , files@~/ansible/.files_pass
and
vault_identity_list = ~/ansible/.inline_pass , ~/ansible/.files_pass
are effectively the same, as ansible doesn't care the vault ids mentioned in ansible.cfg file, as every file is parsed from left to right, in hopes of finding the correct passphrase. But, if filenames are not correctly referenced, it will throw an error.

If you want to be prompted for password to decrypt the vault string/file, then comment out vault_identity_list key in ansible.cfg and execute the playbook with --vault-id id@prompt . For eg

[sanujan@fedora ansible]$ ansible-playbook --vault-id inline@prompt --vault-id files@prompt vault_encryption.yml

Vault_Prompt_Password.png As you can see, it prompts twice, once for entering the passphrase for vault id 'inline' and second for 'files'.

Vault IDs in Tower

Ansible Tower also supports vault ids starting with Tower 3.3. You can reference the vault ids while creating a credential of type 'Vault'.

Vault ID in TowerVault ID in Tower

Hope you found this useful.

Credits: This entire discussion has been shamelessly adapted from the below referenced blogs and ansible documentation at http://docs.ansible.com

1. https://dev.iachieved.it/iachievedit/ansible-vault-ids/

2. http://www.bloggingforlogging.com/2018/05/20/decrypting-the-secrets-of-ansible-vault-in-powershell/

3. https://docs.ansible.com/ansible/2.6/user_guide/vault.html

 

 

mj0vy
Labels (1)
Tags (2)
1 Reply
tkonto
Flight Engineer Flight Engineer
Flight Engineer
  • 5,060 Views

The best to the point use case I have read about the subject.

BR
Theo
0 Kudos
Join the discussion
You must log in to join this conversation.