简体繁体 English

Ansible保管库是否必须使用密码才能运行

[英]Does Ansible vault have to use a password to run

原文 2015-07-18 19:54:47 8 2 ansible/ ansible-vault

I have been looking into Ansible vault but want to check something incase I have missed a crucial point. 我一直在研究Ansible保险库，但想检查一下以防万一我错过了关键点。

Do you have to run the playbook and provide the password. 您必须运行剧本并提供密码吗？ Encrypting the data seems a great idea but if I share the playbook the person running it will require the password. 加密数据似乎是个好主意，但是如果我共享剧本，则运行它的人将需要密码。 If they have the password then they can decrypt the file and see the data. 如果他们具有密码，则他们可以解密文件并查看数据。

I would like to use it to set passwords for files but would like non admins to be able to run the playbook. 我想用它来设置文件密码，但希望非管理员能够运行剧本。

Have I missed something. 我错过了什么吗？ I am struggling to see its worth if this is the case. 如果是这种情况，我将努力查看其价值。

Thanks 谢谢

2 个解决方案

In your case you need something that will be brokering ansible execution. 在您的情况下，您需要将促成有效执行的措施。 Because like you've said an encryption would be useless if you share the password. 因为就像您说的那样，如果您共享密码，加密将毫无用处。

Like it's mentioned in the comment you can use Ansible Tower, or you can try and set a simple http endpoint that will be trigerring ansible based on specified parameters. 就像注释中提到的那样，您可以使用Ansible Tower，也可以尝试设置一个简单的http端点，该端点将根据指定的参数触发ansible。

The purpose of the vault is to keep secrets encrypted "at rest" (eg, in your source control repo, on-disk), so that someone can't learn the secrets by getting ahold of the content. 保管库的目的是使机密信息保持“静止”状态（例如，在源代码控制存储库中，在磁盘上），以便某人无法通过获取内容来学习机密信息。 As others have mentioned, if you want to delegate use of the secrets without divulging them, you'll need an intermediary like Tower. 正如其他人提到的那样，如果您想在不泄露秘密的情况下委派秘密的使用，则需要像Tower这样的中介机构。