如何将 ansible 保险库密码作为额外的 var 传递?
[英]How to pass ansible vault password as an extra var?
问题描述
I have the ability to encrypt variables using another mechanism(Azure pipeline secret feature), so I would like to save an ansible-vault password there(in Azure pipeline) and pass it to playbook execution as an extra var.
我有能力使用另一种机制(Azure 管道秘密功能)加密变量,所以我想在那里保存一个 ansible-vault 密码(在 Azure 管道中)并将其作为额外的 var 传递给剧本执行。
May I know if it can be done so?我可以知道是否可以这样做吗?
An example of what/how I'm expecting is我期待什么/如何的一个例子是
ansible-playbook --extra-vars "vault-password=${pipelinevariable}"
3 个解决方案
解决方案1
2 已采纳 2020-07-02 06:31:48
Vault password cannot be passed as an extra var. Vault 密码不能作为额外的 var 传递。 There are several ways to provide it which are all covered in the documentation:有几种方法可以提供它,这些方法都包含在文档中:
- Providing vault password section in the general vault documentation.在通用保管库文档中提供保管库密码部分。
- Using vault in playbooks 在剧本中使用保险库
Very basically your options are:基本上你的选择是:
- providing it interactively passing the
--ask-vault-passoption通过--ask-vault-pass选项以交互方式提供它 - reading it from a file (static or executable) by either:通过以下任一方式从文件(静态或可执行文件)中读取它:
- providing the
--vault-password-file /path/to/vaultoption on the command line在命令行上提供--vault-password-file /path/to/vault选项 - setting the
ANSIBLE_VAULT_PASSWORD_FILEenvironment variable (egexport ANSIBLE_VAULT_PASSWORD_FILE=/path/to/vault).设置ANSIBLE_VAULT_PASSWORD_FILE环境变量(例如export ANSIBLE_VAULT_PASSWORD_FILE=/path/to/vault)。
- providing the
There is much more to learn in the above doc, especially how to use several vault passwords with ids, how to use a client script to retrieve the password from a key store...上面的文档中还有很多要学习的内容,尤其是如何使用带有 id 的多个保险库密码,如何使用客户端脚本从密钥库中检索密码......
解决方案2
2 2020-07-03 03:42:59
May I know if it can be done so?
Not familiar with Ansible Vault , but you have at least two directions based on the documents shared by Zeitounator .不熟悉Ansible Vault ,但根据Zeitounator共享的文档,您至少有两个方向。
1.Use a CMD task first to create a vault-password-file with plain-text content. 1.首先使用CMD 任务创建具有纯文本内容的 vault-password-file。 (Not sure if the vault-password-file can be created in this way, it might not work.) (不确定是否可以通过这种方式创建 Vault-password-file,它可能不起作用。)
( echo $(SecretVariableName)>xxx.txt ) ( echo $(SecretVariableName)>xxx.txt )
Then you may use the newly created xxx.txt file as input of ansible-playbook --vault-password-file /path/to/my/xxx.txt xxx.yml .然后你可以使用新创建的 xxx.txt 文件作为ansible-playbook --vault-password-file /path/to/my/xxx.txt xxx.yml 。
2.Create a corresponding vault-password-file before running the pipeline, add it to version control. 2.在运行管道之前创建一个对应的Vault-password-file,添加到版本控制中。 (Same source repo of your current pipeline) (您当前管道的相同源代码库)
Then you can use ansible-playbook --vault-password-file easily when the vault-password-file is available.然后,当 vault-password-file 可用时,您可以轻松使用ansible-playbook --vault-password-file 。 Also you can store the password file in private github repo, fetch the repo via git clone https://{userName}:{userPassword}@github.com/xxx/{RepoName}.git , copy the needed password file to the directory where you run the ansible-playbook commands via Copy Files task . Also you can store the password file in private github repo, fetch the repo via git clone https://{userName}:{userPassword}@github.com/xxx/{RepoName}.git , copy the needed password file to the directory您在其中通过Copy Files 任务运行 ansible-playbook 命令。 This direction should work no matter if direction 1 is supported.无论direction 1是否支持,该方向都应该有效。
解决方案3
0 2021-10-25 21:35:16
Although this doesn't use extra vars, I believe it fulfills what you were trying to do:尽管这不使用额外的变量,但我相信它可以满足您的要求:
Optional/one-time only: ask for the password and set it as an environment variable:可选/仅一次性:询问密码并将其设置为环境变量:
read -s ansible_vault_pass && export ansible_vault_pass
Now use that variable in your ansible command:现在在 ansible 命令中使用该变量:
ansible-playbook your-playbook.yml --vault-password-file <(cat <<<"$ansible_vault_pass")
Credits for, and explanation of the <(cat <<<"") technique are in this other StackOverflow answer: Forcing cURL to get a password from the environment . <(cat <<<"")技术的功劳和解释在另一个 StackOverflow 答案中: Forcing cURL to get a password from the environment 。
解决方案4
0 2022-08-18 18:12:29
Thanks for confirmation and comments on this topic.感谢您对此主题的确认和评论。
All these suggestions are similar to what I have been trying, in order to accomplish the decryption of my pre-generated vault file, per the original question.所有这些建议都类似于我一直在尝试的,以便根据原始问题完成对我预先生成的保管库文件的解密。
I also keep reading about the alternatives, to setting the environment variable before playbook run.我还继续阅读替代方案,在剧本运行之前设置环境变量。 But this only works when you have hands-on access, mostly when testing my ansible playbook, deployment to remote-host, etc. All that works, even using scripts when you set your ansible.cfg with the entries like: (which depend on env variable being pre-set)但这仅在您具有动手访问权限时才有效,主要是在测试我的 ansible 剧本、部署到远程主机等时。所有这些都有效,即使在您设置 ansible.cfg 时使用脚本,其中的条目如下:(取决于env 变量是预设的)
[defaults] vault_password_file =./Orchestration/ansible_get_sec.py OR vault_password_file =./Orchestration/ansible_get_sec.sh [默认值] vault_password_file =./Orchestration/ansible_get_sec.py 或 vault_password_file =./Orchestration/ansible_get_sec.sh
I was hoping to pass in the "-e sec-param=${jenkins-secret}" and use the "$sec-param" in the scripts above.我希望传入“-e sec-param=${jenkins-secret}”并在上面的脚本中使用“$sec-param”。 Again, that works when env variable is [exported] first, which cannot be easily done when automating straight from Jenkins-calling-ansible, yes I still don�t know if I would want that.同样,当 env 变量首先 [exported] 时有效,这在直接从 Jenkins-calling-ansible 自动化时不容易完成,是的,我仍然不知道我是否想要那样。 But I will like to try just to validate the behavior.但我想尝试验证行为。 However, as soon as the playbook command executes, the first thing that is performed is the [defaults] loading of the [vault_password_file] to resolve vault variables, as defined in the group_vars/all/vault.yml.但是,一旦 playbook 命令执行,首先执行的是 [vault_password_file] 的 [defaults] 加载,以解析在 group_vars/all/vault.yml 中定义的 vault 变量。
Please note, pre-setting the ansibel_vault_password in a file of a "deploy-repo" is not desired, because clear-text passwords, of any kind, are NOT allowed in our repos.请注意,不需要在“deploy-repo”文件中预先设置 ansibel_vault_password,因为我们的存储库中不允许使用任何类型的明文密码。 Also notice the suggesting on creating a file (with $sec-param), but how do you inject/stop the playbook-process to write that out, before the vault_password_file via ansible.cfg load?另请注意有关创建文件的建议(使用 $sec-param),但是如何在通过 ansible.cfg 加载 vault_password_file 之前注入/停止剧本进程以将其写出?
Therefore, I am discouraged from using vault at the moment.因此,我目前不鼓励使用 Vault。 Alternatively, I have overloaded my command with additional jenkins-secret-credentials parameters或者,我用额外的 jenkins-secret-credentials 参数重载了我的命令
==> ansible-playbook -i /inventory. ==> ansible-playbook -i /inventory. . . . . "-e sec1=**** sec2=*** etc. etc." “-e sec1=**** sec2=*** 等等等等。”
I really wanted to use ansible-vault, because it opens the door more secured options.我真的很想使用 ansible-vault,因为它打开了更安全的选择之门。 It is possible that using the recommended [ansible/latest/modules] mentioned by Zeitounator (Jul 3, 2020 at 7:21) above may actually resolve this.使用上面 Zeitounator(2020 年 7 月 3 日 7:21)提到的推荐的 [ansible/latest/modules] 可能实际上可以解决这个问题。 Still need to work it out with our devSecOps folks.仍然需要与我们的 devSecOps 人员一起解决。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.