14

I have an Ansible playbook with vault, and I want to ask for vault password through the prompt box in my web interface and then pass the posted password when running ansible playbook. I tried to use:

echo $password | ansible-playbook test.yml --ask-vault-pass

to pass the password to the playbook, but it doesn't work, the error message is:

"msg": "Attempting to decrypt but no vault secrets found"

I don't want to store password in file for some resons and now I just want to try to automatically pass password to the playbook while running it. Is there any advice to me? The ansible version is 2.4.

techraf
  • 64,883
  • 27
  • 193
  • 198
snow
  • 141
  • 1
  • 1
  • 3

4 Answers4

16

You can use a script instead of providing the password through an interactive interface.

Here's an example for your use case:

  1. Save path_to/vault_secret.sh file (add permissions to execute) with the following content:

    #!/bin/bash
echo $password

  2. Execute:

    ansible-playbook test.yml --vault-password-file path_to/vault_secret.sh

Alternatively:

  1. Add to ansible.cfg:

    [defaults]
vault_password_file=path_to/vault_secret.sh

  2. Execute:

    ansible-playbook test.yml
techraf
  • 64,883
  • 27
  • 193
  • 198
5

You can use --vault-password-file with a file descriptor:

ansible-playbook test.yml --vault-password-file <(echo somepassword)
Zlemini
  • 4,827
  • 2
  • 21
  • 23
2

Here's how I am doing things, and it works well. My command line looks like this:

[prompt/]$ansible-playbook -i <inventory>, /mnt/m/NetworkGetters/get_vpn_status.yml --extra-vars varsfilepath=/mnt/m/NetworkVars/host_vars/test-oci-test-vpn-config.yml

My sanitized passwords.yml (vault file) looks like this:

---
credentials:
  base: &base
    host: "{{ansible_host}}"
    timeout: 30
    transport: cli
  svc_rhelsystemrw:
    <<: *base
    username: svc_rhelsystemrw
    password: dWERE#@kds23

My playbooks follow this convention:

name: Set VPN Configuration
  hosts: all
  connection: local
  gather_facts: no
  vars_files:
    - "{{ varsfilepath }}"
    - "/etc/ansible/NetworkVars/passwords.yml"
  vars:
    # ssh_auth credentials come from ansible vault
    provider_rw:
      username:  "{{ credentials['svc_rhelsystemrw'].username }}"
      password:  "{{ credentials['svc_rhelsystemrw'].password }}"

  tasks:
  - name: Capture Pre-change Configuration
    ios_command:
      provider: "{{ provider_rw }}"    
      commands:
        - show running-config
    register: running_config_before
    tags: vpn 

  - debug:
      var: running_config_before.stdout
    tags: vpn
RobWieters
  • 43
  • 4
1

@All Make sure you are adding vault_password_file = into the [defaults] section of ansible.cfg file.

I was facing the same issue when I added vault_password_file = in another section which was resolved after moving it into [defaults]

try your luck if that helps.

user12043586
  • 11
  • 1