13

I'm trying to understand how to encrypt single variables with vault. First I encrypt the string with ansible-vault encrypt_string -n -p, then I write the output into my playbook. When I execute the playbook it says that the decrypted string isn't JSON serializable.

Encrypted string: "inline_name" I also tried it with inline_name and inlinename, every time with the same result.

My playbook:

---
- name: Build System

  hosts: dev

  tasks:
  - name: Create 
    mysql_db:
      state: present
      name: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          39613261386438623937643062636166663638633062323939343734306334346537613233623064
          3761633832326365356231633338396132646532313861350a316666376566616633376238313636
          39343833306462323534623238333639663734626662623731666239366566643636386261643164
          3861363730336331660a316165633232323732633364346636363764623639356562336536636136
          6364
      login_host: "{{ mysql_host }}"
      login_user: "{{ mysql_user }}"
      login_password: "{{ mysql_pass }}"
  - name: Check if can access plain text vars
    debug:
      msg: "{{ my_plain_txt }}"

Error message:

An exception occurred during task execution. To see the full traceback, use -vvv. 
The error was: TypeError: u'"inline_name"' is not JSON serializable
fatal: [127.0.0.1]: FAILED! => {"failed": true, "msg": "Unexpected failure during module execution.", "stdout": ""}
HermanTheGermanHesse
  • 541
  • 9
  • 25
  • Why don't you use a vaulted **variable** as [docs suggest](http://docs.ansible.com/ansible/latest/playbooks_vault.html#single-encrypted-variable)? I.e. as a variable. – techraf Nov 30 '17 at 07:06
  • 1
    @techraf if I remember correctly I was just playing around with ansible, and it seemed reasonable for my aproach to work. – HermanTheGermanHesse Jul 10 '18 at 14:27

3 Answers3

19

Add task-level variable:

  - name: Create 
    mysql_db:
      state: present
      name: "{{ mysql_name }}"
      login_host: "{{ mysql_host }}"
      login_user: "{{ mysql_user }}"
      login_password: "{{ mysql_pass }}"
    vars:
      mysql_name: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          39613261386438623937643062636166663638633062323939343734306334346537613233623064
          3761633832326365356231633338396132646532313861350a316666376566616633376238313636
          39343833306462323534623238333639663734626662623731666239366566643636386261643164
          3861363730336331660a316165633232323732633364346636363764623639356562336536636136
          6364
Konstantin Suvorov
  • 65,183
  • 9
  • 162
  • 193
  • I also didn't get where the missing quotes were. What worked for my case however, was using the "string" filter before passing the encrypted var to any module (verified the failure for uri, mysql_db and mysql_user modules): `password: "{{ pass | string }}"` – Alex Nov 06 '18 at 14:59
0

Double-quotes could explain this error but not for me. Look at the entire error/warning to see what is attempting to parse json. In my case....

[WARNING]: Failure using method (v2_runner_on_ok) in callback plugin (): u'secret_value' is not JSON serializable

An older AWX callback plugin called json.load and logged a warning along with secrets in plain text. It needed an upgrade.

user1198049
  • 491
  • 5
  • 15
0

i have implemented same for sending email using mail module and it's working as expected.

ansible-vault encrypt_string yourgmailapppassword --name gmail_password

use above method to encrypt gmail app password using ansible vault string option and define encrypted variable into the playbook.

cat fetch-users-deatils.yml

    - name: Linux servers user audit report preparation
      hosts: "{{ HOSTS }}"
      roles:
        - user-collections
    
    - name: Refreshing user Dashboard & sending email from localhost
      hosts: localhost
      become: false
      vars:
       - gmail_password: !vault |
              $ANSIBLE_VAULT;1.1;AES256
              62613232383962323430633831113465356231563163366235353034393230656331663436646233
              3266353862303738303737383530313664356135336661390a336562613436626665333833323030
              61393135643433313930643337363465343332353716333831222766376137396430426361663633
              6233313433633231320a663435636230636431643731333166366435346564316331323361633566
              38622138392437888466666535323432653034323936353961646233613437343831
      tasks:
        - name: Collecting the user details information and recreating the users dashboard
          script: dashboard_user.sh
          tags: user_dashboard
    
    
        - name: User Audit data output file stored on below location
          debug:
            msg:
             /tmp/user_collection/user_details.csv
    
        - name: 'Sending Ansible users report email'
          mail:
            host: smtp.gmail.com
            subtype: html
            port: 587
            password: "{{ gmail_password }}"
            to: abcdefghijkl@gmail.com
            from: abcdefghijkl@gmail.com
            username: abcdefghijkl@gmail.com
            subject: User details report
            attach: /tmp/user_collection/user_details.csv
            body: <pre> {{ lookup('file', '/tmp/user_collection/user_details.csv') }} </pre>
          delegate_to: localhost

below is ansible playbook execution command

ansible-playbook fetch-users-deatils.yml -e "HOSTS=all" --ask-vault-pass
Namasivayam Chinnapillai
  • 297
  • 1
  • 5