上QQ阅读APP看书，第一时间看更新

The Ansible Vault

As you can see from the previous section, in most cases, the Ansible variable provides sensitive information such as a username and password. It would be a good idea to put some security measures around the variables so that we can safeguard against them. The Ansible Vault (https://docs.ansible.com/ansible/2.5/user_guide/vault.html) provides encryption for files so they appear in plaintext.

All Ansible Vault functions start with the ansible-vault command. You can manually create an encrypted file via the create option. You will be asked to enter a password. If you try to view the file, you will find that the file is not in clear text. If you have downloaded the book example, the password I used was just the word password:

$ ansible-vault create secret.yml
Vault password: <password>

$ cat secret.yml
$ANSIBLE_VAULT;1.1;AES256
336564626462373962326635326361323639323635353630646665656430353261383737623<skip>653537333837383863636530356464623032333432386139303335663262
3962

To edit or view an encrypted file, we will use the edit option for edit or view the file via the view option:

$ ansible-vault edit secret.yml 
Vault password:

$ ansible-vault view secret.yml 
Vault password:

Let's encrypt the group_vars/all and host_vars/localhost variable files:

$ ansible-vault encrypt group_vars/all host_vars/localhost
Vault password:
Encryption successful

Now, when we run the playbook, we will get a decryption failed error message:

ERROR! Decryption failed on /home/echou/Master_Python_Networking/chapter8/Vaults/group_vars/all

We will need to use the --ask-vault-pass option when we run the playbook:

$ ansible-playbook chapter8_10.yml --ask-vault-pass
Vault password:

The decryption will happen in memory for any Vault-encrypted files that are accessed.

Prior to Ansible 2.4, Ansible Vault required all the files to be encrypted with the same password. Since Ansible 2.4 and later, you can use vault ID to supply a different password file ( https://docs.ansible.com/ansible/2.5/user_guide/vault.html#multiple-vault-passwords).

We can also save the password in a file and make sure that the specific file has restricted permission:

$ chmod 400 ~/.vault_password.txt
$ ls -lia ~/.vault_password.txt 
809496 -r-------- 1 echou echou 9 Feb 18 12:17 /home/echou/.vault_password.txt

We can then execute the playbook with the --vault-password-file option:

$ ansible-playbook chapter8_10.yml --vault-password-file ~/.vault_password.txt

We can also encrypt just a string and embed the encrypted string inside of the playbook by using the encrypt_string option (https://docs.ansible.com/ansible/2.5/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml):

$ ansible-vault encrypt_string
New Vault password:
Confirm New Vault password:
Reading plaintext input from stdin. (ctrl-d to end input)
new_user_password
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          616364386438393262623139623561613539656664383834643338323966623836343737373361326134663232623861313338383534613865303864616364380a626365393665316133616462643831653332663263643734363863666632636464636563616265303665626364636562316635636462323135663163663331320a62356361326639333165393962663962306630303761656435633966633437613030326633336438366264626464366138323666376239656633623233353832

Encryption successful

The string can then be placed in the playbook file as a variable. In the next section, we will optimize our playbook even further with include and roles.