From bffcbf7acb1c46fb6528e089e0f4ed7d333ec98f Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Sun, 18 Aug 2024 21:05:37 +0200 Subject: [PATCH] chore(ansible): improve asking for vault password --- knowledge base/ansible.md | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/knowledge base/ansible.md b/knowledge base/ansible.md index 25484c1..23d7735 100644 --- a/knowledge base/ansible.md +++ b/knowledge base/ansible.md @@ -758,16 +758,32 @@ Create and view protected data by using the `ansible-vault` command. Provide the Vault's password: - By using command line options.
- Make ansible ask for it using `‑‑ask‑vault‑pass`, or provide a file containing it with `--vault-password-file`. -- By using the `ansible.cfg` file to either always prompt for the password, or to specify the default location of the - password file: + Make ansible ask for it using `‑‑ask‑vault‑pass`, or provide a file containing it with `--vault-password-file`: + + ```sh + ansible … --ask-vault-pass + ansible-playbook … --vault-password-file 'password_file.txt' + ``` + +- By exporting the `ANSIBLE_VAULT_PASSWORD` or `ANSIBLE_VAULT_PASSWORD_FILE` environment variables to specify the + password itself or the location of the password file, respectively: + + ```sh + ANSIBLE_VAULT_PASSWORD_FILE='password_file.txt' ansible … + export ANSIBLE_VAULT_PASSWORD='abraKadabra' ; ansible-playbook … + ``` + +- By using the `ansible.cfg` config file to either always prompt for the password, or to specify the default location of + the password file: ```ini [defaults] vault_password_file = password_file.txt + ; ask_vault_pass = True ``` -- By exporting the `ANSIBLE_VAULT_PASSWORD_FILE` environment variable to specify the location of the password file. + Should the password file be executable, Ansible will execute it and use its output as the password for Vault.
+ This works well to integrate with CLI-capable password managers. Vault passwords can be any string, and there is currently no special command to create one.
One must provide the/a Vault password **every time one encrypts and/or decrypts data** with Vault.