Ansible 将保险库密码文件传递给剧本

Question

I'm running shell command in ansible playbook which takes password to complete. I've generated vault file(test_vault.txt)that contains my encrypted password. How do I pass it to my playbook so when the playbook runs shell task, it will take the encrypted password from my vault password file? My ansible code looks like this:

- name: run openssl
  shell: openssl rsa -in hostname.enc.key -text -noout

If I run this command at Linux prompt, I got:

Enter pw for hostname.enc.key: 

I then enter the password here. How do I pass my vault password in test_vault.txt to playbook?

Answer 1

openssl supports a variety of ways to send in passwords, but likely the easiest is via -passin env:MY_AWESOME_PASSWORD and then set that in the environment: for your shell:

- name: run openssl
  shell: openssl rsa -passin env:MY_AWESOME_PASSWORD -in hostname.enc.key -text -noout
  environment:
    MY_AWESOME_PASSWORD: hunter2

This does pose the risk that anyone on the machine with the privileges to inspect the environment of other processes will be able to exfiltrate the password. If that is a risk that concerns you, you'll want to explore some of the other password communication schemes, which have their own threat models.

Answer 2

Let's have the variable pw_for_hostname_enc_key with the password encrypted in the file test_vault.txt . For example

shell> cat test_vault.txt
pw_for_hostname_enc_key: 4PepNGRTyzA

shell> ansible-vault encrypt test_vault.txt
Encryption successful

shell> cat test_vault.txt
$ANSIBLE_VAULT;1.1;AES256
35306366336231663239373437646639336432383030373937353065343266346561653039643038
3931396535613135633735613733346635363761616361650a373133663438383862643733343732
38356363623138316534343364346535313539653065303739386538626265366532616539653163
6232363232383965630a323831333162646239303630643837313937356233336664343634313766
31343536656637373038363936306563363232633432386631663334383030316339326332646162
3334396364353862613933326131366433363232656432323961

Then test the playbook. See Variable precedence: Where should I put a variable? . For example

shell> cat pb.yml
- hosts: localhost
  tasks:
    - include_vars: test_vault.txt
    - debug:
        var: pw_for_hostname_enc_key

gives (abridged)

shell> ansible-playbook pb.yml 

ok: [localhost] => 
  pw_for_hostname_enc_key: 4PepNGRTyzA

If it's working use it in other tasks. For example

    - name: run openssl
      shell: "openssl rsa -in hostname.enc.key 
                          -passin pass:{{ pw_for_hostname_enc_key }}
                          -text -noout"

---

The next option is to encrypt the password only. For example

shell> cat test_vault.txt
4PepNGRTyzA

shell> ansible-vault encrypt test_vault.txt
Encryption successful

shell> cat test_vault.txt
$ANSIBLE_VAULT;1.1;AES256
65656363363364376130323365303363643662313939346635646630613230656630343239666130
3563396666663763393132626438336433646661656232660a333239363063383434313237363730
61633931666630616337636434326536333335353836306230333464383432656664336431343637
3961316237346430660a656666316333313936386136383732366539373961303466313236343061
3332

Then test the playbook. The lookup plugin file automatically decrypts vault-encrypted files. For example,

- hosts: localhost
  tasks:
    - debug:
        var: pw_for_hostname_enc_key
      vars:
        pw_for_hostname_enc_key: "{{ lookup('file', 'test_vault.txt') }}"

gives (abridged)

shell> ansible-playbook pb.yml

ok: [localhost] => 
  pw_for_hostname_enc_key: 4PepNGRTyzA

If it's working use it in other tasks. For example

    - name: run openssl
      shell: "openssl rsa -in hostname.enc.key 
                          -passin pass:{{ pw_for_hostname_enc_key }}
                          -text -noout"
      vars:
        pw_for_hostname_enc_key: "{{ lookup('file', 'test_vault.txt') }}"

This solution is safer because the scope of the variable with the password is limited to this single task only.