Is it possible to encrypt non-YAML data with Vault?

162 views
Skip to first unread message

Alex Dunae

unread,
Apr 17, 2014, 1:51:25 PM4/17/14
to ansible...@googlegroups.com
I'm looking to put our ~10 SSL certificates in our repository and have them installed with Ansible.  From what I can tell, it seems that I can only use vault for data in YAML files, not arbitrary plaintext files.  I've started makin a YAML file with vars for each cert and private key, but it's pretty unwieldily.

Ideally, I'd be able put each cert and key in its own file and encrypt each one that way.  Is there a workflow to do that that I've somehow missed?

Thanks in advance for any help.

Michael DeHaan

unread,
Apr 17, 2014, 4:14:55 PM4/17/14
to ansible...@googlegroups.com
It's only there to encrypt data files for Ansible at this point, as it's wired in to decrypt if it detects the vault headers in data files.

It could be made to work with the {{ lookup('file', '/path/to/file') }} style lookup plugin, but that's not something this plugin can do right now.

Pull requests for this would be interesting -- or if you'd also like to file a feature idea ticket, we can at least record the idea.

Thanks!




--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d942e38b-4d5e-4f53-a721-e56ea22d5b80%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Alex Dunae

unread,
Apr 17, 2014, 5:23:14 PM4/17/14
to ansible...@googlegroups.com
Thanks Michael.  The lookup seems like it would still have the same limitations, since the target files would either be out of the repo or unencrypted.  I'll distill my thoughts and do a feature req.

Michael DeHaan

unread,
Apr 17, 2014, 5:55:49 PM4/17/14
to ansible...@googlegroups.com
" The lookup seems like it would still have the same limitations, since the target files would either be out of the repo or unencrypted.  I'll distill my thoughts and do a feature req."

Indeed true about the remote nodes, which is kind of why we didn't do it as part of the original pass.

Thanks!


To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1b195f37-4e7d-4123-818e-f8fb31e20429%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages