英文:
Ansible + Python - Programmatically provide ansible-vault the vault password
问题
我按照此处提供的教程进行操作:https://stackoverflow.com/questions/64705336/editing-ansible-vault-file-from-a-playbook,以便能够以编程方式更新我的ansible保险库。
假设这是一个更大管道的一部分,在这个管道中,不合理期望最终用户坐在那里等待3次以上的ansible-vault
保险库密码提示。
有没有办法以编程方式提供一个ansible-vault
调用的vault密码
,以便在需要时自动输入?
理想情况下,用户在运行时会在较大脚本的一部分中输入一次保险库密码,然后当脚本遇到需要ansible-vault
密码的需求时,该密码也会作为变量提供,这样用户就不必不断地返回检查并输入它。
英文:
I followed the tutorial provided here : https://stackoverflow.com/questions/64705336/editing-ansible-vault-file-from-a-playbook to create the ability to programmatically update my ansible vaults.
Let's say though this is part of a much larger pipeline, where it unreasonable to expect the end user to sit around waiting for the 3+ ansible-vault
vault password prompts.
Is there a way to programmatically provide an ansible-vault
call with the vault password
such that it is automatically entered when it is required?
Ideally, the user at run-time would enter once the vault-password as part of the larger script, and then as the script encounters needs that require ansible-vault
the password is provided as a variable as well so the user doesn't have to constantly check back to enter it.
答案1
得分: 1
Ansible可以从脚本输出中读取Vault密码。您需要编写一个以-client
结尾的shell脚本,并使其可执行。文件名扩展名如.py
可在-client
部分之后使用。您的脚本应该接受--vault-id=<id>
参数,其中<id>
是Vault的ID或为空,必须通过标准输出返回与<id>
相对应的密码。
在其最简单的形式中,您的脚本可以,例如,回显在Playbook任务的environment
参数中设置的预定义环境变量。如果您一次只使用一个Vault ID,则无需进行命令行参数解析。但是,如果您需要同时为多个Vault ID提供不同的密码(每个Ansible命令使用多个--vault-id
参数),那么您必须相应地解析和处理--vault-id
参数。
接受--vault-id
参数的所有Ansible命令都支持通过脚本进行密码输入。参数的语法为--vault-id <id>@<input method>
,其中<input method>
可以是指向静态文本文件的路径、指向可执行文件的路径,或者使用prompt
进行键盘交互式密码输入。
如果为<id>
指定一个值,那么Ansible将使用参数--vault-id=<id>
调用您的脚本。否则,将使用参数--vault-id=
调用脚本。在与ansible-vault
一起使用时,<id>
将成为生成的Vault的ID。如果未提供<id>
,则生成的Vault将不具有ID。
示例
这是一个非常简单的密码客户端脚本。要使用此脚本,将其保存为名为example-client
的文本文件,使其可执行,并使用您喜欢的方法将Vault密码存储到名为VAULT_PASSWORD
的环境变量中。
#!/usr/bin/bash
echo -n $VAULT_PASSWORD
然后,您可以像这样为ID为myvault
的Vault提供密码:
ansible-playbook --vault-id myvault@example-client <other parameters>
或者创建一个没有ID的Vault:
ansible-vault encrypt_string --vault-id @example-client
如果您想要使用Ansible Playbook任务创建一个后续可以使用include_vars
导入的Ansible兼容的YAML文件(支持Vault),您可以添加--stdin-name
参数并将输出重定向到文件:
- name: 以编程方式创建Vault
environment:
VAULT_PASSWORD: Pa$$word123
shell:
cmd: >
ansible-vault encrypt_string
--vault-id myvault@example-client
--stdin-name password > /path/to/vault.yml
stdin: 此文本将存储在Vault中
stdin_add_newline: false
register: vault_result
您可以通过标准输入提供要存入Vault的文本,但请确保在进行管道传输时省略尾随的换行符,否则它将成为Vault内容的一部分。
来源
Ansible文档,尤其是https://docs.ansible.com/ansible/2.9/user_guide/vault.html#vault-password-client-scripts
英文:
Ansible can read Vault passwords from script output. You have to write a shell script with the name that ends with -client
and make it executable. File name extensions like .py
are supported after the -client
part. Your script should accept --vault-id=<id>
parameter where <id>
is the id of the Vault or empty, and it must return the password corresponding the <id>
via stdout.
In its simpliest form your script could, for example, echo a predefined environment variable that you set in the environment
parameter of the playbook task. No command line parameter parsing needed if you work with just one Vault id at the time. However, if you need to provide different passwords for multiple Vault ids at the same time (multiple --vault-id
parameters per Ansible command), then you must parse and process the --vault-id
parameter accordingly.
All Ansible commands that accept --vault-id
parameter support password entry via script. Syntax for the parameter is --vault-id <id>@<input method>
where <input method>
can be path to a static text file, path to an executable file, or prompt
for keyboard-interactive password input.
If you specify a value for <id>
then Ansible will call your script with parameter --vault-id=<id>
. Otherwise the script will be called with parameter --vault-id=
. When used with ansible-vault
, <id>
becomes the id of the resulting Vault. If no <id>
is provided then the resulting Vault will not have an id.
Examples
This is a very simple password client script. To use this script, save it into a text file named example-client
, make it executable, and store your Vault password into env VAULT_PASSWORD
using your preferred method.
#!/usr/bin/bash
echo -n $VAULT_PASSWORD
You can then provide password for a Vault with id myvault
like this:
ansible-playbook --vault-id myvault@example-client <other parameters>
or create a Vault without an id:
ansible-vault encrypt_string --vault-id @example-client
If you want to use Ansible playbook task to create an Ansible-compatible YAML file that can be later imported with include_vars
– which supports Vault – you can add --stdin-name
parameter and redirect output to a file:
- name: Create Vault progammatically
environment:
VAULT_PASSWORD: Pa$$word123
shell:
cmd: >
ansible-vault encrypt_string
--vault-id myvault@example-client
--stdin-name password > /path/to/vault.yml
stdin: This text will be stored in the Vault
stdin_add_newline: false
register: vault_result
You can provide the text to be vaulted via stdin but be sure to omit the trailing newline when piping or it will become part of the Vault content.
Source
Ansible docs, especially https://docs.ansible.com/ansible/2.9/user_guide/vault.html#vault-password-client-scripts
答案2
得分: 0
-
你可以为
ansible-vault
提供保险库密码
。例如,ansible-vault decrypt vault.yml --vault-password-file multi_password_file
。 -
此外,你还可以使用
ansible-vault
Python 包在 Python 中读取保险库:
vault = Vault((Path('multi_password_file').read_text()))
data = vault.load(open('vault.yml').read())
你可以阅读更多关于如何在Python中使用Ansible Vault的详细信息。
免责声明:本文由我编写。
英文:
-
You can provide
vault password
toansible-vault
. For example,ansible-vault decrypt vault.yml --vault-password-file multi_password_file
. -
In addition you can use
ansible-vault
Python package for reading the vault in Python:
vault = Vault((Path('multi_password_file').read_text()))
data = vault.load(open('vault.yml').read())
You can read more details about how to use Ansible Vault in Python.
Disclaimer: I wrote this article.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论