ansible-vault encrypt foo.yml bar.yml baz.yml
ansible-vault decrypt foo.yml bar.yml baz.yml
ansible-playbook site.yml --ask-vault-pass
sudo pip install cryptography
記事:
記事:
users: - name: user01 password: "{{ vault_user_01_password }}"
vault_user_01_password: example
- hosts: example connection: local gather_facts: no become: no tasks: - debug: var: users
ansible-playbook -i hosts.ini playbook.yml --check --diff --vault-id varanus.txt -v ... TASK [debug] ***************************************************************************************************************************************** ok: [varanus-0001] => { "users": "VARIABLE IS NOT DEFINED!: ... 'vault_user_01_password' is undefined"
方法がいくつか考えられる。
Secret Manager:
#!/usr/bin/env bash # if [ -e ./vault.env ]; then source ./vault.env fi aws secretsmanager get-secret-value \ --secret-id ${VAULT_ID} \ | jq -r .SecretString \ | jq -r .vault_id
export AWS_PROFILE=example export AWS_DEFAULT_REGION=ap-northeast-1 export VAULT_ID=example-vault-id
aws secretsmanager --profile example create-secret --name ${VAULT_ID} --secret-string '{"vault_id": "'$(pwgen 32 1)'"}'
ansible-playbook -i hosts.ini --vault-id ./vault-id.sh
s3にvaultパスワードを置く:
group_vars/ example/ vars.yml # 一般的な変数 vault.yml # 暗号化された変数
db_root_password: "{{ vault_db_root_password }}"
group_vars/example/main.yml group_vars/example/credentials.yml
echo -n 'val2' | ansible-vault encrypt --ask-vault-pass # または echo -n 'val2' | ansible-vault encrypt --vault-password-file /path/to/passwd.txt
key2: !vault | $ANSIBLE_VAULT;1.1;AES256 ...