Is there a task/module to create a vaulted file?

[Dick Visser]

Hii

In one of my playbooks there is a task that is creating a token through an API.

As the next task, I would like to store that token somewhere in my vars hierarchy.

If it were a plain text variable that would be easy.

But I don't seem to be able to safe a vaulted file with a task.

One approach is with the pipe lookup and ansible-vault encrypt (seems a big ugly/unsafe):

- name: save token

  ansible.builtin.copy:

    content: "{{ lookup('ansible.builtin.pipe', 'echo ' ~ token|quote ~ ' ansible-vault encrypt') }}"

    dest: /tmp/out1

    mode: 0600

This seems to work, and because ansible.cfg contains the right information (vault_identity_list, vault_encrypt_identity) the encrypted content looks good, when I'm debugging.

But the actual file contents are plain text again. It seems the copy module decrypts the encrypted content again? How can I force the content to NOT be decrypted?

Another approach is the vault filter, which seems to be a bit cleaner. I thought this would do the trick:

- name: save token

  ansible.builtin.copy:

    content: "{{ token | ansible.builtin.vault }}"

    dest: /tmp/out2

    mode: 0600

But that didn't work, the filter insists on an actual secret value. I then must do a separate lookup for the ansible vault password. But the vault password file can also be an executable that sends the secret to stdout. I don't want to have to implement that logic myself.

Is there a way for the ansible.builtin.vault filter to use the vault_identity_list and vault_encrypt_identity that are in ansible.cfg?

To see if it worked at all, i just hard coded the actual secret like this:

- name: save token

  ansible.builtin.copy:

    content: "{{ token | ansible.builtin.vault('hackme') }}"

    dest: /tmp/out2

    mode: 0600

Just like the other example, this works but the content is again decrypted by the copy module.

Any hints are appreciated :)

tnx

Dick

[Dick Visser]

On Tue, 28 May 2024 at 15:17, Dick Visser <dnmv...@gmail.com> wrote:

This seems to work, and because ansible.cfg contains the right information (vault_identity_list, vault_encrypt_identity) the encrypted content looks good, when I'm debugging.

But the actual file contents are plain text again. It seems the copy module decrypts the encrypted content again? How can I force the content to NOT be decrypted?

To quickly answer my own question: there is a decrypt parameter: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-decrypt

I had never noticed that 🤡

So the first task does work now.

Still my other question remains:

[Andrew Latham]

Unable to test from current location but do you need to delegate_to for this?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLYAsqbxCdZf8CU51%3DjCw5MJT-rwg%3DYweT7R%2BU6n4kAMLg%40mail.gmail.com.

--

- Andrew "lathama" Latham -

[Dick Visser]

On Tue, 28 May 2024 at 15:42, Andrew Latham <lat...@gmail.com> wrote:

Unable to test from current location but do you need to delegate_to for this?

Yes, I didn't explicitly mention it, but I'm running all the tasks from a dedicated "local" play with these settings:

- name: API tasks
  hosts: foo_hosts
  # This is an API-only play, so we run it locally - not from the actual hosts
  connection: local
  become: false
  gather_facts: false
  tags: foo,always
  run_once: true

  tasks:

    - name: blah

    ....

[Andrew Latham]

I saw https://github.com/ansible/ansible/pull/79864 which is related. I am interested in this as it sounds useful to many. I wildly assume the solution is obvious. Maybe drop the token into a local dir and a later task can encrypt any files found in said dir and copy them to the vars dir of your choice.

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLZ3mhSSEVkr9AJQHuFvk9xjHRPfLqj%2BbgE-0jOMHShTwQ%40mail.gmail.com.