Using vault within Ansible Tower

660 views
Skip to first unread message

Chase Farrant

unread,
Apr 11, 2016, 2:34:13 PM4/11/16
to Ansible Project
Hi all, I have a few questions about the usage of vault within Ansible Tower.

Premise: 
When installing a Windows service via Ansible, I need to use specific credentials for running the actual service. For obvious reasons I do not want the plain-text credentials within my source code.

So within the credentials section of Tower, there are several types of credentials but there isn't a generic value type to reference within playbooks. Nor does there appear to be an option for encrypting entire yml files. From my basic understanding, it appears that tower stores these credentials within it's own database instead of using encrypted yml files.

Is there a 'best practice' solution to get around this problem? I don't really have a problem with these passwords being plain-text on the Ansible box itself.

Here is the best solution I can think of as of now:
- Create a vars file on the Ansible machine and encrypt it using ansible vault
- Copy the file to my dev machine and upload it to source
- Reference the encrypted yml file from within other playbooks
- Somehow pass the vault password from Tower to Ansible...?
- ....?.... 

Hopefully someone can nudge me in the right direction. Thanks! 


Chase Farrant

unread,
Apr 11, 2016, 4:33:03 PM4/11/16
to ansible...@googlegroups.com
A few more questions. Can I set the vault password within ansible.cfg? Can ansible detect when a yml file is encrypted?

-Chase Farrant

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/CO5KDqi0mYs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/40f36241-a1a4-4255-a440-e3e5b09e9760%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Matt Martz

unread,
Apr 11, 2016, 4:41:36 PM4/11/16
to ansible...@googlegroups.com
For tower questions please reach out to sup...@ansible.com or https://support.ansible.com/


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAD6rbqYsVEZ9uxQxgrr9K9fzC45_egmjaLJQPF-JfzHUUtPJTg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.



--
Matt Martz
@sivel
sivel.net
Reply all
Reply to author
Forward
0 new messages