How can I print an Ansible vaulted variable that includes a Kubernetes secret from the CLI?

Question

I have a Ansible group_vars directory with the following file within it:

$ cat inventory/group_vars/env1
...
...
ldap_config: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31636161623166323039356163363432336566356165633232643932623133643764343134613064
          6563346430393264643432636434356334313065653537300a353431376264333463333238383833
          31633664303532356635303336383361386165613431346565373239643431303235323132633331
          3561343765383538340a373436653232326632316133623935333739323165303532353830386532
          39616232633436333238396139323631633966333635393431373565643339313031393031313836
          61306163333539616264353163353535366537356662333833653634393963663838303230386362
          31396431636630393439306663313762313531633130326633383164393938363165333866626438
...
...

This Ansible encrypted string has a Kubernetes secret encapsulated within it. A base64 blob that looks something like this:

IyMKIyBIb3N0IERhdGFiYXNlCiMKIyBsb2NhbGhvc3QgaXMgdXNlZCB0byBjb25maWd1cmUgdGhlIGxvb3BiYWNrIGludGVyZmFjZQojIHdoZW4gdGhlIHN5c3RlbSBpcyBib290aW5nLiAgRG8gbm90IGNoYW5nZSB0aGlzIGVudHJ5LgojIwoxMjcuMC4wLjEJbG9jYWxob3N0CjI1NS4yNTUuMjU1LjI1NQlicm9hZGNhc3Rob3N0Cjo6MSAgICAgICAgICAgICBsb2NhbGhvc3QKIyBBZGRlZCBieSBEb2NrZXIgRGVza3RvcAojIFRvIGFsbG93IHRoZSBzYW1lIGt1YmUgY29udGV4dCB0byB3b3JrIG9uIHRoZSBob3N0IGFuZCB0aGUgY29udGFpbmVyOgoxMjcuMC4wLjEga3ViZXJuZXRlcy5kb2NrZXIuaW50ZXJuYWwKIyBFbmQgb2Ygc2VjdGlvbgo=

How can I decrypt this in a single CLI?

score 1 · Answer 1 · answered Sep 24 '19 at 00:52

We can use an Ansible adhoc command to retrieve the variable of interest, ldap_config. To start we're going to use this adhoc to retrieve the Ansible encrypted vault string:

$ ansible -i "localhost," all               \
    -m debug                                \
    -a 'msg="{{ ldap_config }}"'            \
    --vault-password-file=~/.vault_pass.txt \
    -e@inventory/group_vars/env1
localhost | SUCCESS => {
    "msg": "ABCD......."

Make note that we're:

using the debug module and having it print the variable, msg={{ ldap_config }}
giving ansible the path to the secret to decrypt encrypted strings
using the notation -e@< ...path to file...> to pass the file with the encrypted vault variables

Now we can use Jinja2 filters to do the rest of the parsing:

$ ansible -i "localhost," all                             \
     -m debug                                             \
     -a 'msg="{{ ldap_config | b64decode | from_yaml }}"' \
     --vault-password-file=~/.vault_pass.txt              \
     -e@inventory/group_vars/env1
localhost | SUCCESS => {
    "msg": {
        "apiVersion": "v1",
        "bindDN": "uid=readonly,cn=users,cn=accounts,dc=mydom,dc=com",
        "bindPassword": "my secret password to ldap",
        "ca": "",
        "insecure": true,
        "kind": "LDAPSyncConfig",
        "rfc2307": {
            "groupMembershipAttributes": [
                "member"
            ],
            "groupNameAttributes": [
                "cn"
            ],
            "groupUIDAttribute": "dn",
            "groupsQuery": {
                "baseDN": "cn=groups,cn=accounts,dc=mydom,dc=com",
                "derefAliases": "never",
                "filter": "(objectclass=groupOfNames)",
                "scope": "sub"
            },
            "tolerateMemberNotFoundErrors": false,
            "tolerateMemberOutOfScopeErrors": false,
            "userNameAttributes": [
                "uid"
            ],
            "userUIDAttribute": "dn",
            "usersQuery": {
                "baseDN": "cn=users,cn=accounts,dc=mydom,dc=com",
                "derefAliases": "never",
                "scope": "sub"
            }
        },
        "url": "ldap://192.168.1.10:389"
    }
}

NOTE: The above section -a 'msg="{{ ldap_config | b64decode | from_yaml }}" is what's doing the heavy lifting in terms of converting from Base64 to YAML.

References

Zeitounator · Answer 2 · 2021-12-17T13:19:21.770

0

If you need a one liner that works with any yaml file (not only in inventory) containing inlined vault vars, and if you are ready to install a pip package for that, there is a solution using yq, a yaml processor built on top of jq

prerequesite: Install yq

pip install yq

Usage

You can get your result with the following command:

yq -r .ldapconfig inventory/group_vars/env1 | ansible_vault decrypt

If you need to type your vault pass interactively, don't forget to add the relevant option

yq -r .ldapconfig inventory/group_vars/env1 | ansible_vault --ask-vault-pass decrypt

Note: the -r option to yq is mandatory to get a raw result without the quotation marks around the value.

edited Dec 17 '21 at 13:19

answered Sep 24 '19 at 12:31

Zeitounator

38,476
7
53
66

You must use the `-r` option with `yq`, in order to drop the quotation marks. – fionn Dec 17 '21 at 11:53
You are right and I fixed it but note that you are fully allowed to propose an edit (or do it directly when you get enough reputation) on existing answers. Editing (questions, answers, tags....) is actually one of the most important action you should get familiar with on SO. – Zeitounator Dec 17 '21 at 13:22

How can I print an Ansible vaulted variable that includes a Kubernetes secret from the CLI?

2 Answers2

References