How to pass ansible vault password as an extra var?

Question

I have the ability to encrypt variables using another mechanism(Azure pipeline secret feature), so I would like to save an ansible-vault password there(in Azure pipeline) and pass it to playbook execution as an extra var.

May I know if it can be done so?

An example of what/how I'm expecting is

ansible-playbook --extra-vars "vault-password=${pipelinevariable}"

Answer 1

Vault password cannot be passed as an extra var. There are several ways to provide it which are all covered in the documentation:

• Providing vault password section in the general vault documentation.
• Using vault in playbooks

Very basically your options are:

• providing it interactively passing the --ask-vault-pass option
• reading it from a file (static or executable) by either:
  1. providing the --vault-password-file /path/to/vault option on the command line
  2. setting the ANSIBLE_VAULT_PASSWORD_FILE environment variable (eg export ANSIBLE_VAULT_PASSWORD_FILE=/path/to/vault ).

There is much more to learn in the above doc, especially how to use several vault passwords with ids, how to use a client script to retrieve the password from a key store...

Answer 2

May I know if it can be done so?

Not familiar with Ansible Vault , but you have at least two directions based on the documents shared by Zeitounator .

1.Use a CMD task first to create a vault-password-file with plain-text content. (Not sure if the vault-password-file can be created in this way, it might not work.)

( echo $(SecretVariableName)>xxx.txt )

Then you may use the newly created xxx.txt file as input of ansible-playbook --vault-password-file /path/to/my/xxx.txt xxx.yml .

2.Create a corresponding vault-password-file before running the pipeline, add it to version control. (Same source repo of your current pipeline)

Then you can use ansible-playbook --vault-password-file easily when the vault-password-file is available. Also you can store the password file in private github repo, fetch the repo via git clone https://{userName}:{userPassword}@github.com/xxx/{RepoName}.git , copy the needed password file to the directory where you run the ansible-playbook commands via Copy Files task . This direction should work no matter if direction 1 is supported.

Answer 3

Although this doesn't use extra vars, I believe it fulfills what you were trying to do:

Optional/one-time only: ask for the password and set it as an environment variable:

read -s ansible_vault_pass && export ansible_vault_pass

Now use that variable in your ansible command:

ansible-playbook your-playbook.yml --vault-password-file <(cat <<<"$ansible_vault_pass")

Credits for, and explanation of the <(cat <<<"") technique are in this other StackOverflow answer: Forcing cURL to get a password from the environment .

Answer 4

Thanks for confirmation and comments on this topic.

All these suggestions are similar to what I have been trying, in order to accomplish the decryption of my pre-generated vault file, per the original question.

I also keep reading about the alternatives, to setting the environment variable before playbook run. But this only works when you have hands-on access, mostly when testing my ansible playbook, deployment to remote-host, etc. All that works, even using scripts when you set your ansible.cfg with the entries like: (which depend on env variable being pre-set)

[defaults] vault_password_file =./Orchestration/ansible_get_sec.py OR vault_password_file =./Orchestration/ansible_get_sec.sh

I was hoping to pass in the "-e sec-param=${jenkins-secret}" and use the "$sec-param" in the scripts above. Again, that works when env variable is [exported] first, which cannot be easily done when automating straight from Jenkins-calling-ansible, yes I still don�t know if I would want that. But I will like to try just to validate the behavior. However, as soon as the playbook command executes, the first thing that is performed is the [defaults] loading of the [vault_password_file] to resolve vault variables, as defined in the group_vars/all/vault.yml.

Please note, pre-setting the ansibel_vault_password in a file of a "deploy-repo" is not desired, because clear-text passwords, of any kind, are NOT allowed in our repos. Also notice the suggesting on creating a file (with $sec-param), but how do you inject/stop the playbook-process to write that out, before the vault_password_file via ansible.cfg load?

Therefore, I am discouraged from using vault at the moment. Alternatively, I have overloaded my command with additional jenkins-secret-credentials parameters

==> ansible-playbook -i /inventory. . . "-e sec1=**** sec2=*** etc. etc."

I really wanted to use ansible-vault, because it opens the door more secured options. It is possible that using the recommended [ansible/latest/modules] mentioned by Zeitounator (Jul 3, 2020 at 7:21) above may actually resolve this. Still need to work it out with our devSecOps folks.