using lookup(csvfile) with and encrypted file with vault fails
99 views
Skip to first unread message
Pabolito Garci
May 7, 2021, 4:53:22 AM5/7/21
to Ansible Project
Hello,
Using ansible 2.9.19 in a RHEL7.8 server
python version = 2.7.5
I am trying to set facts from a lookup into a csv file. The playbook works but as the facts set are passwords, I need to encrypt the content to the file.
I did : ansible-vault encrypt "
hpe_sut_security_store .csv"
This is the task to set up the variables:
- name: read credentials from csv file
set_fact:
hpe_sut_cred_user: "{{ lookup('csvfile', inventory_hostname +' file=hpe_sut_security_store.csv delimiter=; col=1') }}"
hpe_sut_cred_pwd: "{{ lookup('csvfile', inventory_hostname +' file=hpe_sut_security_store.csv delimiter=; col=2') }}"
But set_fact or the lookup('csvfile') is not trying to decrypt the file! so the output is always an empty variable. It doesn't matter if I don't add the --ask-vault tags
ansible-playbook -vv play_single_prod.yml --ask-vault
ansible-playbook -vv play_single_prod.yml
gives the same result. I would expect not having the --ask-vault tag to fail the playbook what leads me to think, that the file is not seen as encrypted?
is there something wrong I am doing or it is expected behaviour that set_fact or lookup(csvfile) wont see it as en encrypted file?
Just in case, file is properly encrypted:
head files/hpe_sut_credentials.csv
$ANSIBLE_VAULT;1.1;AES256
32346262623864346531656630663766623162383631653932643762353131656132393438366239
3962396438343938363439356330363964333431636433360a613630666666326139343763313163
39323063383565333231373237376263393239393864303137343734356364343133303539393533
3239636436363965620a653730383263663833653235666330636234353834663662326434666362
Thanks in advance
Pablo Garcia
Dick Visser
May 7, 2021, 5:29:03 AM5/7/21
to ansible...@googlegroups.com
On Fri, 7 May 2021 at 10:53, Pabolito Garci <pabo...@gmail.com> wrote:
> is there something wrong I am doing or it is expected behaviour that set_fact or lookup(csvfile) wont see it as en encrypted file?
AFAIK the csvfile lookup does not support vaulted cvsfiles
> is there something wrong I am doing or it is expected behaviour that set_fact or lookup(csvfile) wont see it as en encrypted file?
--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT
Vladimir Botka
May 7, 2021, 7:16:51 AM5/7/21
to Pabolito Garci, ansible...@googlegroups.com
On Fri, 7 May 2021 01:53:22 -0700 (PDT)
Pabolito Garci <pabo...@gmail.com> wrote:
> - name: read credentials from csv file
> set_fact:
> hpe_sut_cred_user: "{{ lookup('csvfile', inventory_hostname +'
> file=hpe_sut_security_store.csv delimiter=; col=1') }}"
> hpe_sut_cred_pwd: "{{ lookup('csvfile', inventory_hostname +'
> file=hpe_sut_security_store.csv delimiter=; col=2') }}"
Lookup *file* will decrypt it. Parse the file on your own and create
Pabolito Garci <pabo...@gmail.com> wrote:
> - name: read credentials from csv file
> set_fact:
> hpe_sut_cred_user: "{{ lookup('csvfile', inventory_hostname +'
> file=hpe_sut_security_store.csv delimiter=; col=1') }}"
> hpe_sut_cred_pwd: "{{ lookup('csvfile', inventory_hostname +'
> file=hpe_sut_security_store.csv delimiter=; col=2') }}"
a dictionary, e.g.
- set_fact:
hpe_sut_cred: "{{ hpe_sut_cred|default({})|
combine({_arr.0: {'user': _arr.1,
'pwd': _arr.2}}) }}"
loop: "{{ lookup('file', 'store.csv').splitlines() }}"
vars:
_arr: "{{ item.split(';') }}"
run_once: true
Then, use it to set the variables
- set_fact:
user: "{{ hpe_sut_cred[inventory_hostname]['user'] }}"
pwd: "{{ hpe_sut_cred[inventory_hostname]['pwd'] }}"
--
Vladimir Botka
Reply all
Reply to author
Forward
0 new messages