use password lookup together with vault?
425 views
Skip to first unread message
Ulrich Hochholdinger
Jun 5, 2015, 5:45:32 AM6/5/15
to ansible...@googlegroups.com
Hi,
is it possible to keep the password information generated with the password lookup in a vault-encrypted file?
I want to generate new random passwords for new machines and keep them idempotent. But the already generated passwords should be kept encrypted in the playbook e.g. as vault-file.
"lookup password" seems perfect for this. But they are kept clear text, and can't be encrypted as a vault?
I tried following which does not work:
task in test.yml playbook:
- name: debug
debug: msg="{{ lookup('password', 'passwordfile chars=ascii_letters length=15 encrypt=sha512_crypt') }}"
ansible-playbook -i "myhost," --vault-password-file /root/.vault test.yml
# passwordfile is generated cleartext
ansible-vault encrypt roles/passwords/files/passwordfile
# passwordfile is now al vault
ansible-playbook -i "myhost," --vault-password-file /root/.vault test.yml
# passwordfile is simply overwritten with new clear-text data :-(
Anyone a cool solution for this?
Cheers
Ulli
is it possible to keep the password information generated with the password lookup in a vault-encrypted file?
I want to generate new random passwords for new machines and keep them idempotent. But the already generated passwords should be kept encrypted in the playbook e.g. as vault-file.
"lookup password" seems perfect for this. But they are kept clear text, and can't be encrypted as a vault?
I tried following which does not work:
task in test.yml playbook:
- name: debug
debug: msg="{{ lookup('password', 'passwordfile chars=ascii_letters length=15 encrypt=sha512_crypt') }}"
ansible-playbook -i "myhost," --vault-password-file /root/.vault test.yml
# passwordfile is generated cleartext
ansible-vault encrypt roles/passwords/files/passwordfile
# passwordfile is now al vault
ansible-playbook -i "myhost," --vault-password-file /root/.vault test.yml
# passwordfile is simply overwritten with new clear-text data :-(
Anyone a cool solution for this?
Cheers
Ulli
Martin
Jun 5, 2015, 6:20:18 AM6/5/15
to ansible...@googlegroups.com
You might want to look at vault from hashicorp. Drop me a note when your plugin is ready to test ;)
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/aa35fd1f-98a4-4231-bfb1-a659ab3e121a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
Reply all
Reply to author
Forward
0 new messages