运行 Ansible playbook 时如何自动传递保管库密码?
[英]How to automatically pass vault password when running Ansible playbook?
问题描述
I have an Ansible playbook with vault, and I want to ask for vault password through the prompt box in my web interface and then pass the posted password when running ansible playbook.
我有一个带有保险库的 Ansible playbook,我想通过我的 Web 界面中的提示框询问保险库密码,然后在运行 ansible playbook 时传递发布的密码。 I tried to use:我尝试使用:
echo $password | ansible-playbook test.yml --ask-vault-pass
to pass the password to the playbook, but it doesn't work, the error message is:将密码传递给剧本,但不起作用,错误消息是:
"msg": "Attempting to decrypt but no vault secrets found"
I don't want to store password in file for some resons and now I just want to try to automatically pass password to the playbook while running it.我不想为了某些原因将密码存储在文件中,现在我只想尝试在运行剧本时自动将密码传递给剧本。 Is there any advice to me?对我有什么建议吗? The ansible version is 2.4. ansible 版本是 2.4。
4 个解决方案
解决方案1
14 2018-01-30 06:32:24
You can use a script instead of providing the password through an interactive interface.您可以使用脚本而不是通过交互式界面提供密码。
Here's an example for your use case:以下是您的用例的示例:
Save
path_to/vault_secret.shfile (add permissions to execute) with the following content:使用以下内容保存path_to/vault_secret.sh文件(添加执行权限):#!/bin/bash echo $passwordExecute:
执行:ansible-playbook test.yml --vault-password-file path_to/vault_secret.sh
Alternatively:或者:
Add to
ansible.cfg:添加到ansible.cfg:[defaults] vault_password_file=path_to/vault_secret.shExecute:
执行:ansible-playbook test.yml
解决方案2
2 2020-02-06 12:23:06
您可以将--vault-password-file与文件描述符一起使用:
ansible-playbook test.yml --vault-password-file <(echo somepassword)
解决方案3
0 2019-09-09 20:33:20
@All Make sure you are adding vault_password_file = into the [defaults] section of ansible.cfg file. @All 确保将 vault_password_file = 添加到 ansible.cfg 文件的 [defaults] 部分。
I was facing the same issue when I added vault_password_file = in another section which was resolved after moving it into [defaults]当我在另一个部分中添加 vault_password_file = 时遇到了同样的问题,该部分在将其移入 [defaults] 后已解决
try your luck if that helps.如果有帮助,试试你的运气。
解决方案4
0 2019-10-30 18:25:18
Here's how I am doing things, and it works well.这就是我做事的方式,而且效果很好。 My command line looks like this:我的命令行如下所示:
[prompt/]$ansible-playbook -i <inventory>, /mnt/m/NetworkGetters/get_vpn_status.yml --extra-vars varsfilepath=/mnt/m/NetworkVars/host_vars/test-oci-test-vpn-config.yml
My sanitized passwords.yml (vault file) looks like this:我清理过的 passwords.yml(保险库文件)如下所示:
---
credentials:
base: &base
host: "{{ansible_host}}"
timeout: 30
transport: cli
svc_rhelsystemrw:
<<: *base
username: svc_rhelsystemrw
password: dWERE#@kds23
My playbooks follow this convention:我的剧本遵循这个约定:
name: Set VPN Configuration
hosts: all
connection: local
gather_facts: no
vars_files:
- "{{ varsfilepath }}"
- "/etc/ansible/NetworkVars/passwords.yml"
vars:
# ssh_auth credentials come from ansible vault
provider_rw:
username: "{{ credentials['svc_rhelsystemrw'].username }}"
password: "{{ credentials['svc_rhelsystemrw'].password }}"
tasks:
- name: Capture Pre-change Configuration
ios_command:
provider: "{{ provider_rw }}"
commands:
- show running-config
register: running_config_before
tags: vpn
- debug:
var: running_config_before.stdout
tags: vpn
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.