堆栈内存溢出
  简体   繁体   English

在ansible剧本中运行ansible-vault crypto_string

[英]Run ansible-vault encrypt_string in ansible playbook

 原文  2017-12-22 15:16:09       ansible/ ansible-2.x/ rundeck

问题描述

I have a job in Rundeck , which require users to pass in database password to ansible. 我在Rundeck有一份工作,要求用户将数据库密码传递给ansible。 And ansible will take it as an extra variable. 并且ansible将其作为一个额外的变量。 

ansible-playbook test.yml -e "password=123"

However, we would like to vault the password during the runtime, but from ansible's best practice . 但是,我们希望在运行时对密码进行存储,但要遵循 ansible的最佳做法 They would require the password to be stored in a file. 他们将要求密码存储在文件中。 and vault the entire file using ansible-vault create. 并使用ansible-vault创建存储整个文件。

Since we have a large number of the password to pass in, and I notice there is a function call encrypt_string. 由于我们要传递大量密码,因此我注意到有一个函数调用crypto_string。 I try to call it in a playbook and try to generate a vault password on the fly, but I'm getting error below: 我尝试在剧本中调用它,并尝试动态生成保险库密码,但是下面出现错误:

"ERROR! Only one --vault-id can be used for encryption. This includes passwords from configuration and cli." “错误!只能使用一个--vault-id进行加密。这包括来自配置和cli的密码。”

Here is my playbook test.yml : 这是我的剧本test.yml 

---
- name: test
  hosts: localhost
  tasks:
  - name: vault var
    command: ansible-vault encrypt_string "{{ password }}" --vault-password-file ~/.vault_pass.txt
    register: var

  - name: variable
    set_fact:
      mypass: var

  - name: test encrypt_string
    debug:
      msg: "{{ mypass }}"

I'm not sure if this is the correct way to do it/best practice, anyone can shed some light will be very appreciated. 我不确定这是否是正确的做法/最佳做法,任何人都可以有所启发将不胜感激。

Thanks, 谢谢,

1 个解决方案

解决方案1
 0  2017-12-23 18:45:46

You may update your task by removing option --vault-password-file as ansible seems getting/reading it from your environment some way. 您可以通过删除选项--vault-password-file来更新任务,因为ansible似乎通过某种方式从您的环境中获取/读取了它。 

...
...
- name: test
  hosts: localhost
  tasks:
  - name: vault var
    command: ansible-vault encrypt_string "{{ password }}" 
    register: var
...
...

If you prefer to keep this option in playbook, you may need to find where ansible is reading it from. 如果您希望将此选项保留在剧本中,则可能需要查找ansible从何处读取它。 Ansible may be reading it from it's default config file, generally found at ~/.ansible.cfg [look for vault_password_file ] or alias or somewhere else. Ansible可能正在从其默认配置文件中读取它,该文件通常位于~/.ansible.cfg [查找vault_password_file ]或alias或其他位置。

You may find more details at ansible vault documentation with examples. 您可以在Ansible Vault文档中找到带有示例的更多详细信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Ansible-vault没有正确传递给playbook - Ansible-vault not being passed to playbook correctly 使用 ansible-vault 加密 Ansible Playbook .pem 私钥 - Encrypting Ansible Playbook .pem private key with ansible-vault 如何使用 ansible-vault 2.3.0 解密字符串 - How to decrypt string with ansible-vault 2.3.0 ansible vault加密字符串 - ansible vault encrypt string 使用 ansible-vault 一次加密多个文件 - use ansible-vault to encrypt multiple files at once Ansible 检查文件是否由 ansible-vault 加密 - Ansible check if file is encrypted by ansible-vault 带有“奇数长度字符串”的 Ansible 保险库错误 - Ansible-vault errors with “Odd-length string” 如何使用Vault在Ansible中运行Playbook API - How to run playbook api in Ansible with vault 使用 ansible-vault 部署敏感数据 - Deploying sensitive data using ansible-vault 带库文件的Ansible剧本 - Ansible playbook with vault file
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM