Encrypting Ansible Playbook
37 views
Skip to first unread message
Sandeep Kandhway
Nov 20, 2018, 5:26:40 AM11/20/18
to Ansible Project
Hi Experts,
I have prepared an Ansible Playbook. However I want to encrypt the plabook in such a way that the end user to whom I'll be providing the playbook will have only the privilege to run the playbook and not to view its contents. With Vault I can encrypt this but again to run the playbook I need to provide the vault password. With this password the code can automatically be decrypted very easily. Is there any way to achieve this.
Thanks,
Sandeep
ameya agashe
Nov 20, 2018, 5:29:53 AM11/20/18
to ansible...@googlegroups.com
Very good question, I also wonder if this is indeed possible?
Kind Regards,
Ameya Agashe
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/208335ea-f415-446e-affe-23e215ff4b46%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sandeep Kandhway
Nov 20, 2018, 6:52:52 AM11/20/18
to Ansible Project
Please let me know for any updates.
Brian Coca
Nov 20, 2018, 9:30:59 AM11/20/18
to ansible...@googlegroups.com
Instead of providing the vault password allow execution of a vault
script that will query/generate the password after it verifies it is
being called from ansible-playbook (so user cannot call directly).
----------
Brian Coca
script that will query/generate the password after it verifies it is
being called from ansible-playbook (so user cannot call directly).
----------
Brian Coca
Dick Visser
Nov 20, 2018, 11:27:26 AM11/20/18
to ansible...@googlegroups.com
hi
Could you tell us what the rationale is for such a requirement?
I can understand some sort of integrity checks to make sure content hasn’t been tampered with or isn’t damaged.
But it sounds counter intuitive to run something that has been deliberately obfuscated.
So please enlighten us.
Dick
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/208335ea-f415-446e-affe-23e215ff4b46%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sent from a mobile device - please excuse the brevity, spelling and punctuation.
Jonathan Lozada De La Matta
Nov 20, 2018, 11:36:38 AM11/20/18
to ansible...@googlegroups.com
I would make the roles/playbook as modular as possible then have each user pass the necessary variables. If you want others to use credentials but, not see them then I suggest you use awx/tower.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAL8fbwP5Nzm%3DZZd2We4fSf6RiasN5XGH8YyMBvxmJZJ3QZBfLg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Jonathan lozada de la matta
AUTOMATION PRACTICE
Reply all
Reply to author
Forward
0 new messages