Ansible Vault

[Mark Matthews]

Hi

I am am trying to setup Ansible vault and running into errors.

In my /etc/ansible/group_vars folder I have muliple vars files for specific server groups in the host files. These vars files (winservers.yml) have the servers login details...for example:

ansible_ssh_user: Administrator

ansible_ssh_pass: PASSWORD

ansible_ssh_port: 5986

ansible_connection: winrm

What I want to do is use vault to not have those passwords visable in these vars files.

So what I did is create a vault.yml file (using ansible-vault) in the group_vars folder. I then added the variables in the file

---

azure_password: PASSWORD1

winservers_password: PASSWORD

I then changed the above 'winservers.yml' vars file to the following:

ansible_ssh_user: Administrator

ansible_ssh_pass: {{ winservers_password }}

ansible_ssh_port: 5986

ansible_connection: winrm

I then tried to run a simple playbook on the 'winservers' servers, and got the following error:

The error appears to have been in '/etc/ansible/group_vars/winservers.yml': line 4, column 20, but may

be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

ansible_ssh_user: Administrator

ansible_ssh_pass: {{ winservers_password }}

                   ^ here

We could be wrong, but this one looks like it might be an issue with

missing quotes.  Always quote template expression brackets when they

start a value. For instance:

    with_items:

      - {{ foo }}

Should be written as:

    with_items:

      - "{{ foo }}"

Is there a way of using vault to keep all passwords, and use it in a way above?

Cheers

Mark

[Jorge L.]

What about:

ansible_ssh_pass: "{{ winservers_password }}"

?

[Mark Matthews]

Hi

Its definitely a step further!

But I get the following error now:

fatal: [10.10.3.168]: FAILED! => {"failed": true, "msg": "'winservers_password' is undefined"}

Its as if it doesn't know where to look for the variable? Should it just know to ready the variable from the 'vault.yml' file?

[Arbab Nazar]

can you create the directory /etc/ansible/group_vars folder/all and put everything in it instead of /etc/ansible/group_vars folder?

[Mark Matthews]

Hi Arbab

So currently I have /etc/ansible/group_vars and in that folder I have the following:

azureservers.yml  vault.yml  windows.yml  winservers.yml

Do you want me to now create the following folder, /etc/ansible/group_vars/all 

Or must it be a new group_vars folder structure, /etc/ansible/group_vars folder/all

And then copy those yml file into that 'all' folder?

On Wednesday, March 30, 2016 at 5:25:50 PM UTC+1, Mark Matthews wrote:

[Arbab Nazar]

just create the all directory inside the /etc/ansible/group_vars/

and move the azureservers.yml  vault.yml  windows.yml  winservers.yml inside it.

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/Jloh5KRFLKg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7a0dc955-1027-4c84-8d74-292ed7e88b65%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Uditha Desilva]

"vault.yml" is not a magical filename, you still need to use a "use_vars:" task to pull in the contents of that file. If you have provided the vault password (either via --ask-vault or via a vault password file), then that file will be decrypted and the variables within it will be evaluated.

[Johannes Kastl]

Am 30.03.16 schrieb Arbab Nazar:

> just create the all directory inside the /etc/ansible/group_vars/
> and move the azureservers.yml vault.yml windows.yml winservers.yml
> inside it.

That complete contradicts the 'one file per group' scheme that is the
basis for the group_vars folder.

Just copying the vault.yml file into that folder or renaming it to
/etc/ansible/group_vars/all.yml would help IMHO.

Of course this is only sensible if the values are for all hosts,
otherwise creating an encrypted file e.g. azureservers.yml would be
the better option.

Johannes

[Brian Coca]

you can also do this: 

group_vars/<group_name>/vault.yml 

You can have multiple files on a group named dir.

--

----------

Brian Coca

[Johannes Kastl]

Am 31.03.16 schrieb Brian Coca:

> You can have multiple files on a group named dir.

Of course, but I thought the files the OP mentioned were for different
groups...

Johannes

[J Hawkesworth]

Hi Mark,

Bit late to this one but as well as using group_vars folders I'd suggest organizing things so that you aren't trying to do this:

ansible_ssh_pass: {{ winservers_password }}

so you can avoid a vault lookup of a var.  Instead I'd put the

ansible_ssh_pass: ACTUAL_SECRET_PASSWORD

into a separate file and vault that, then use the child groups mechanism to include the var in whatever groups you need.

Oh yeah, while you are orgainising things, might be worth switching to the new names e.g. ansible_user instead of ansible_ssh_user as I imagine the old names will get deprecated at some point.

HTH

Jon

[Mark Matthews]

Hi guys

Thank you so much for all your feedback. Getting a little confused as to what to do now though.

Do I create the following folder /etc/ansible/group_vars/all and just copy all the files into that folder? Will that solve the problem?

Jon - Im not exactly sure what you mean by, "into a separate file and vault that, then use the child groups mechanism to include the var in whatever groups you need."

Can you not just have one vault file with all variables that you want secure, and then just refer to those variables in all your playbooks?

Cheers

On Wednesday, March 30, 2016 at 5:25:50 PM UTC+1, Mark Matthews wrote:

[Arbab Nazar]

Mark,

just give a try with the /etc/ansible/group_vars/all and don't for to add the --ask-vault-pass to your playbook

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/Jloh5KRFLKg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/95a14dd7-3db1-4fba-be56-222b49252e4d%40googlegroups.com.

[Mike Biancaniello]

Every item in group_vars/ is named to match a group name. These items can be either files (my_group, my_group.yml) or directories (my_group/). If it is a directory, then it works similarly to a .d/ directory where all of the files in that dir are imported.

These are equivilent structures:

1. One file:

group_vars/group1.yml

---
var1: val1
var2: val2

2. One Directory:

group_vars/group1/arbitrary_file1.yml

---
var1: val1

group_vars/group1/arbitrary_file2.yml

---
var2: val2

In my playbooks, I tend to make the all group a dir so that I can better organize those vars and use the filenames as a sort of documentation or comment.

group_vars/
├── all
│   ├── defaults.yml
│   ├── definitions.yml
│   ├── lookups.yml
│   ├── servers.yml
│   └── users.yml
├── arista.yml

I have also found it best to keep sensitive vars in separate files (whether or not I encrypt them in a vault) using the group_vars dir structure.

My problem with vault is that you need the password to unlock it and if you are checking things into git, then everyone has to use the same password to unlock the vault, so now you have to deal with how to tell people what that password is and what to do when it changes, etc.

So, in my playbooks, I store sensitive vars in a secure datastore where I can control who has access to read and write. Then, instead of locking the vars in a vault, I use a lookup which is able to use the local user's personal creds for auth.

e.g.

group_vars/all/lookups.yml

---
## Vars I don't want to store in git
enpass: "{{ lookup('hss', 'enpass', objid='ans_vars.json') }}"
snmpro: "{{ lookup('hss', 'snmpro', objid='ans_vars.json') }}"