ansible vault with ad hoc command line

[Rajendra Rawat]

Hi All,

Is it possible to use ansible-vault with ad-hoc commands.

Use case: I have not setup ssh key and I want to use ping module on target machine.

normal way if we have setup sshkey or pass the text password

1: ansible <target_hostname> -m ping [if ssh key configured]

2: ansible <target_hostname> -m ping --extra-vars "ansible_user=<username> ansible_password=<password>"

But I want to do this with ansible-vault.

Is it possible ? any help would be appreciated.

Thanks & Regards

Rajendra Rawat

[Andrew Latham]

Try something like...

ansible --vault-id ~/.vault -e @ yourvault.yml 

This will expose the variables for your use, like in your inventory 

ansible_become: true
ansible_become_method: su
ansible_become_user: root
ansible_become_pass: "{{ var_from_vault }}"

inventory example https://lathama.net/git/lathama/IaC/src/branch/master/Infrastructure/inventory.yml

How I do this with playbooks https://lathama.net/git/lathama/IaC/src/branch/master/Infrastructure

> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAGvnwVFgUQ0Zmqfdsgi8vXbcGZCuf%3Dg0fDLrPbaBj82eaUyN2w%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

[Mohan L]

Do you have any problem using vault with ad-hoc??

Here is a example of how it works.

I have a vault secret file under group_vars like below. You have to use ansible-vault create.

# ansible-vault view group_vars/myserver.yml 

Vault password: 

---

ansible_user: root

ansible_ssh_pass: password1

I have my vault password stored in file which look like below:

# cat vault_key 

myvault@pass

I am using ad-hoc command like below and it works. What is your problem?

# ansible myserver -m file -a "dest=/tmp/hello mode=755 state=directory" -u root --vault-password-file vault_key 

localhost | SUCCESS => {

    "changed": false, 

    "gid": 0, 

    "group": "root", 

    "mode": "0755", 

    "owner": "root", 

    "path": "/tmp/hello", 

    "secontext": "unconfined_u:object_r:user_tmp_t:s0", 

    "size": 6, 

    "state": "directory", 

    "uid": 0

}

Thanks

Mohan L

[Rajendra Rawat]

Hi Mohan,

I tried running ad-hoc command as you suggested but it is not working

ansible <target_hostname> -m ping -u <targer_vm_username>  --vault-password-file <secret_file>

where "secret_file" was created with password of <targer_vm_username>

ansible-vault create secret_file

cat secret_file

<password>

Output:

 [WARNING]: Error in vault password file loading (default): A vault password must be specified to decrypt data

ERROR! A vault password must be specified to decrypt data

Am i doing something wrong?

Thanks & Regards

Rajendra Rawat

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7f859c16-ee20-42fc-9ec4-fa57befbff92%40googlegroups.com.

[Mohan L]

You have to pass vault password to ansible command not vault file itself. Vault file stores your secrets/variables in encrypted format and vault password is used decrypt it. Pass vault password to ansible command.

You have read this doc: https://docs.ansible.com/ansible/2.7/user_guide/vault.html

Take a look at the below link as well:

https://serversforhackers.com/c/how-ansible-vault-works

https://zaiste.net/ansible_vault_storing_sensitive_data_as_encrypted_variables/

If your roles or playbooks reference encrypted variables, you need to have give Ansible the password to decrypt them. Prior Ansible 2.4, You can do this in two ways:

1). Using the --ask-vault-pass flag will instruct Ansible to ask for the vault password so it can decrypt the variable files correctly.

2). Using —vault-password-file flag will instruct Ansible to reference vault password from file. Ansible playbook use the password with in the reference file to decrypt  vault file.

Since Ansible 2.4, there is way to provide a vault password is to use the --vault-id option as well.  This allow vault files or vars that are encrypted with different passwords can be used at the same time. If your roles or playbooks reference encrypted variables, you need to have give Ansible the password to decrypt them. Prior Ansible 2.4, You can do this in two ways:

1). Using the --ask-vault-pass flag will instruct Ansible to ask for the vault password so it can decrypt the variable files correctly.

2). Using —vault-password-file flag will instruct Ansible to reference vault password from file. Ansible playbook use the password with in the reference file to decrypt  vault file.

Since Ansible 2.4, there is way to provide a vault password is to use the --vault-id option as well.  This allow vault files or vars that are encrypted with different passwords can be used at the same time.  That what Andrew was mentioned on his post. 

 

[Rajendra Rawat]

I have gone through the link shared by you but there is no where is it using the vault for ad hoc command. It is using it for playbook.

Request you to please share a example of ping module as I did in my previous email that would be helpful understanding it.

ad-hoc command:

ansible <hostname> -m ping <what_next?>

Please note sshkey is not setup on target host.

Thanks & Regards

Rajendra Rawat

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/39ba802f-c34d-4a70-b5a1-9e21f8e883d3%40googlegroups.com.

[Mohan L]

I have already given you example. You can see If you closely read my first replay to this thread. Ansible vault works the same way for both ansible-playbook and ansible command. What ever documented for ansible-playbook also work with ansible ad hoc if you use vault. You have spend some time to learn it. Every thing documented well.

Here is the step by step example:

1). Create a directory group_vars

# mkdir -p /etc/ansible/group_vars

2). Create a variable file with your server user name and password. Please note this is the username and password which your ansible ad hoc command going to use to login to your target machine.

# vim /etc/ansible/group_vars/myservers.yml

---
ansible_user: root
ansible_ssh_pass: toor

Save the file with above two variables. You have to change your target machine username and password.

3). My sample file looks like below after step 2.

# cat /etc/ansible/group_vars/myservers.yml
---
ansible_user: root
ansible_ssh_pass: toor

4).  Encrypt the /etc/ansible/group_vars/myservers.yml  file. The ansible-vault command will prompt you for a password twice (a second time to confirm the first). Once that's done, the file will be encrypted! If you edit the file directly, you'll just see encrypted text.

# ansible-vault encrypt /etc/ansible/group_vars/myservers.yml

New Vault password:  
Confirm New Vault password:  
Encryption successful

NOTE: You have to use this password with ansible ad hoc command. In my case I used ‘test123’ as password.

5). You will need to make inventory files for Ansible. An inventory file lists hosts which you would like to manage and the groups they belong to. I’ve created inventory file called ‘myhostfile’

# vim /etc/ansible/myhostfile
[myserver]
localhost

NOTE: Here ‘myserver’ is group name and I have only one host which is my local machine. You need to change localhost to your target machine hostname or IP address. If you closely notice my group name is ‘myserver’ and vault file under group_vars directory also same. 

6). Now run your ansible ad hoc command. Here is one ad hoc command which will create a file /tmp/hello on the target machine.

# ansible -i /etc/ansible/myhostfile myservers -m file -a "dest=/tmp/hello mode=755 state=directory" -u root --ask-vault-pass

Vault password:  

localhost | SUCCESS => {

    "changed": false,  

    "gid": 0,  

    "group": "root",  

    "mode": "0755",  

    "owner": "root",  

    "path": "/tmp/hello",  

    "secontext": "unconfined_u:object_r:user_tmp_t:s0",  

    "size": 6,  

    "state": "directory",  

    "uid": 0

}

NOTE: I used —ask-vault-pass which will prompt you vault password. In my case it is ‘test123’ which I used to decrypt the file. Please refer step 4.

You can also save the password in file and pass with --vault-password-file

Hope it help you. If you still have problem then you have to send more details about what exactly you are doing.

[Rajendra Rawat]

It is working for me now. thanks for the explaining it in detailed.

it is working for for me after creating the group into /etc/ansible/group_var

I have a doubt, can we achieve the same functionality without creating vault file with same group name which we given in inventory file into  /etc/ansible/group_var/?

  

Thanks & Regards

Rajendra Rawat

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ff338a3b-83d4-4318-898a-f0dfaa7a5f0f%40googlegroups.com.

[Mohan L]

You can create a directory called 'all' under your playbook group_vars directory and use 'all' in your ad hoc command. This way the variables applied to all the host defined in myhostfile in my example. 

# tree -L 3 /etc/ansible/group_vars

/etc/ansible/group_vars

`-- all

    `-- secrets.yml

# ansible -i /etc/ansible/myhostfile all -m file -a "dest=/tmp/hello mode=755 state=directory" -u root --ask-vault-pass

Vault password: 

localhost | SUCCESS => {

    "changed": false, 

    "gid": 0, 

    "group": "root", 

    "mode": "0755", 

    "owner": "root", 

    "path": "/tmp/hello", 

    "secontext": "unconfined_u:object_r:user_tmp_t:s0", 

    "size": 6, 

    "state": "directory", 

    "uid": 0

}

Have a look at ansible inventory:

https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html

https://www.digitalocean.com/community/tutorials/how-to-manage-multistage-environments-with-ansible#ansible-recommended-strategy-using-groups-and-multiple-inventories

[Rajendra Rawat]

Thanks a lot Mohan for your help.

Thanks & Regards

Rajendra Rawat

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/36f52063-8209-498a-a8e8-73d9ab2128e5%40googlegroups.com.