Encrypted variables for hosts
25 views
Skip to first unread message
superm...@gmail.com
Jul 24, 2018, 2:22:54 PM7/24/18
to Ansible Project
Hi everyone,
I read about encrypted
variables in the ansible documentation that the best practice to manage
encrypted variables (only variables not the whole yml file) is to use a
var file and a vault file in groups_vars.
Does it make sense to do the same also for hosts?
For example host_vars/hostname with inside:
var file (unencrypted content)
vault file (encrypted content)
Is it a common practice?
Dick Visser
Jul 25, 2018, 8:10:29 AM7/25/18
to ansible...@googlegroups.com
It does make sense to store secrets in an encrypted vars file.
One downside of this approach is that the var names in that file also
go under the radar.
So hard to find in git commits etc because the entire file is encrypted.
It you just have one or two secrets then I'd use inline encrypted vars:
https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml
I find this especially useful for structured vars like dicts or lists
that only contain one or two secrets.
Dick
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/607b951d-b86e-4d72-b1dc-f97c703040ea%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
One downside of this approach is that the var names in that file also
go under the radar.
So hard to find in git commits etc because the entire file is encrypted.
It you just have one or two secrets then I'd use inline encrypted vars:
https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml
I find this especially useful for structured vars like dicts or lists
that only contain one or two secrets.
Dick
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/607b951d-b86e-4d72-b1dc-f97c703040ea%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
superm...@gmail.com
Jul 25, 2018, 12:31:58 PM7/25/18
to Ansible Project
Thanks Dick, I just tried to encrypt strings and it works fine :)
It was for username and pw. If I had more variables I would've encrypted the whole variables file.
Reply all
Reply to author
Forward
0 new messages