Ansible + Python – 以编程方式提供 ansible-vault 密码

huangapple go评论67阅读模式
英文:

Ansible + Python - Programmatically provide ansible-vault the vault password

问题

我按照此处提供的教程进行操作:https://stackoverflow.com/questions/64705336/editing-ansible-vault-file-from-a-playbook,以便能够以编程方式更新我的ansible保险库。

假设这是一个更大管道的一部分,在这个管道中,不合理期望最终用户坐在那里等待3次以上的ansible-vault保险库密码提示。

有没有办法以编程方式提供一个ansible-vault调用的vault密码,以便在需要时自动输入?

理想情况下,用户在运行时会在较大脚本的一部分中输入一次保险库密码,然后当脚本遇到需要ansible-vault密码的需求时,该密码也会作为变量提供,这样用户就不必不断地返回检查并输入它。

英文:

I followed the tutorial provided here : https://stackoverflow.com/questions/64705336/editing-ansible-vault-file-from-a-playbook to create the ability to programmatically update my ansible vaults.

Let's say though this is part of a much larger pipeline, where it unreasonable to expect the end user to sit around waiting for the 3+ ansible-vault vault password prompts.

Is there a way to programmatically provide an ansible-vault call with the vault password such that it is automatically entered when it is required?

Ideally, the user at run-time would enter once the vault-password as part of the larger script, and then as the script encounters needs that require ansible-vault the password is provided as a variable as well so the user doesn't have to constantly check back to enter it.

答案1

得分: 1

Ansible可以从脚本输出中读取Vault密码。您需要编写一个以-client结尾的shell脚本,并使其可执行。文件名扩展名如.py可在-client部分之后使用。您的脚本应该接受--vault-id=<id>参数,其中<id>是Vault的ID或为空,必须通过标准输出返回与<id>相对应的密码。

在其最简单的形式中,您的脚本可以,例如,回显在Playbook任务的environment参数中设置的预定义环境变量。如果您一次只使用一个Vault ID,则无需进行命令行参数解析。但是,如果您需要同时为多个Vault ID提供不同的密码(每个Ansible命令使用多个--vault-id参数),那么您必须相应地解析和处理--vault-id参数。

接受--vault-id参数的所有Ansible命令都支持通过脚本进行密码输入。参数的语法为--vault-id <id>@<input method>,其中<input method>可以是指向静态文本文件的路径、指向可执行文件的路径,或者使用prompt进行键盘交互式密码输入。

如果为<id>指定一个值,那么Ansible将使用参数--vault-id=<id>调用您的脚本。否则,将使用参数--vault-id=调用脚本。在与ansible-vault一起使用时,<id>将成为生成的Vault的ID。如果未提供<id>,则生成的Vault将不具有ID。

示例

这是一个非常简单的密码客户端脚本。要使用此脚本,将其保存为名为example-client的文本文件,使其可执行,并使用您喜欢的方法将Vault密码存储到名为VAULT_PASSWORD的环境变量中。

#!/usr/bin/bash
echo -n $VAULT_PASSWORD

然后,您可以像这样为ID为myvault的Vault提供密码:
ansible-playbook --vault-id myvault@example-client <other parameters>
或者创建一个没有ID的Vault:
ansible-vault encrypt_string --vault-id @example-client

如果您想要使用Ansible Playbook任务创建一个后续可以使用include_vars导入的Ansible兼容的YAML文件(支持Vault),您可以添加--stdin-name参数并将输出重定向到文件:

- name: 以编程方式创建Vault
  environment:
    VAULT_PASSWORD: Pa$$word123
  shell:
    cmd: &gt;
      ansible-vault encrypt_string
      --vault-id myvault@example-client
      --stdin-name password &gt; /path/to/vault.yml
    stdin: 此文本将存储在Vault中
    stdin_add_newline: false
  register: vault_result

您可以通过标准输入提供要存入Vault的文本,但请确保在进行管道传输时省略尾随的换行符,否则它将成为Vault内容的一部分。

来源

Ansible文档,尤其是https://docs.ansible.com/ansible/2.9/user_guide/vault.html#vault-password-client-scripts

英文:

Ansible can read Vault passwords from script output. You have to write a shell script with the name that ends with -client and make it executable. File name extensions like .py are supported after the -client part. Your script should accept --vault-id=&lt;id&gt; parameter where &lt;id&gt; is the id of the Vault or empty, and it must return the password corresponding the &lt;id&gt; via stdout.

In its simpliest form your script could, for example, echo a predefined environment variable that you set in the environment parameter of the playbook task. No command line parameter parsing needed if you work with just one Vault id at the time. However, if you need to provide different passwords for multiple Vault ids at the same time (multiple --vault-id parameters per Ansible command), then you must parse and process the --vault-id parameter accordingly.

All Ansible commands that accept --vault-id parameter support password entry via script. Syntax for the parameter is --vault-id &lt;id&gt;@&lt;input method&gt; where &lt;input method&gt; can be path to a static text file, path to an executable file, or prompt for keyboard-interactive password input.

If you specify a value for &lt;id&gt; then Ansible will call your script with parameter --vault-id=&lt;id&gt;. Otherwise the script will be called with parameter --vault-id=. When used with ansible-vault, &lt;id&gt; becomes the id of the resulting Vault. If no &lt;id&gt; is provided then the resulting Vault will not have an id.

Examples

This is a very simple password client script. To use this script, save it into a text file named example-client, make it executable, and store your Vault password into env VAULT_PASSWORD using your preferred method.

#!/usr/bin/bash
echo -n $VAULT_PASSWORD

You can then provide password for a Vault with id myvault like this:
ansible-playbook --vault-id myvault@example-client &lt;other parameters&gt;
or create a Vault without an id:
ansible-vault encrypt_string --vault-id @example-client

If you want to use Ansible playbook task to create an Ansible-compatible YAML file that can be later imported with include_vars – which supports Vault – you can add --stdin-name parameter and redirect output to a file:

- name: Create Vault progammatically
  environment:
    VAULT_PASSWORD: Pa$$word123
  shell:
    cmd: &gt;
      ansible-vault encrypt_string
      --vault-id myvault@example-client
      --stdin-name password &gt; /path/to/vault.yml
    stdin: This text will be stored in the Vault
    stdin_add_newline: false
  register: vault_result

You can provide the text to be vaulted via stdin but be sure to omit the trailing newline when piping or it will become part of the Vault content.

Source

Ansible docs, especially https://docs.ansible.com/ansible/2.9/user_guide/vault.html#vault-password-client-scripts

答案2

得分: 0

  • 你可以为 ansible-vault 提供 保险库密码。例如,ansible-vault decrypt vault.yml --vault-password-file multi_password_file

  • 此外,你还可以使用 ansible-vault Python 包在 Python 中读取保险库:

vault = Vault((Path('multi_password_file').read_text()))
data = vault.load(open('vault.yml').read())

你可以阅读更多关于如何在Python中使用Ansible Vault的详细信息。

免责声明:本文由我编写。

英文:
  • You can provide vault password to ansible-vault. For example, ansible-vault decrypt vault.yml --vault-password-file multi_password_file.

  • In addition you can use ansible-vault Python package for reading the vault in Python:

vault = Vault((Path(&#39;multi_password_file&#39;).read_text()))
data = vault.load(open(&#39;vault.yml&#39;).read())

You can read more details about how to use Ansible Vault in Python.

Disclaimer: I wrote this article.

huangapple
  • 本文由 发表于 2023年2月7日 00:40:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/75364155.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定