Questions regarding the ansible sops collection
354 views
Skip to first unread message
Christian Schoepplein
Apr 27, 2022, 3:57:14 AM4/27/22
to ansible...@googlegroups.com
Hello,
I am relatively new to ansible and I want to use the sops collection to
decrypt some sensible data for our ansible playbooks / roles that we want to
store in a git repo. Unfortunatly things are not working as expected, which
might be because I do not understand all things corect. I'd would be great
if you can help me things sort out...
For test reasons and to understand how to work with sops and ansible I did
the following:
1. I've created a file
inventories/test/group_vars/ansible_become_password.sops.yml with the
following decrypted content:
-----
ansible_become_password: ansible
-----
2. I've encrypted the file with an age key which I have created before:
-----
$ export SOPS_AGE_KEY=AGE-SECRET-KEY-1S47MVM0HF2PDHDQJCNDS4DKERKYC934GGEF2RMHR5HZPS9SNRTLQRF27CG
$ sops -i --encrypt ansible_become_password.sops.yml
-----
After encryption the file looks the following:
-----
ansible_become_password: ENC[AES256_GCM,data:Zkn2s/bHGg==,iv:SCV9y/YXMpkDj1IE2qOn5trpUsIcxkVYAomF/xx7eUk=,tag:xLpdfJd11B8HozlzbBjG/Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1yh00zlvnk4397ndm0tx2q0ppvj8zrm70ze0nkesgglrwy40hnc6qdnldr3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXdEIzRHJydnA0T1NZYXFI
NmRTUGFpUkRmcXNnVmxiN01IbEtvN3pUL1FzCjNGcDA4bFBIcTFOUGtzcUtLb09p
U1JFR1NIVHpkcnhYQzRmUXZoY2FvTDAKLS0tIGlSeEVkK2loS3JRc0J4TmsxWlRz
cUd6K3RrcDh2UWtneUNqQzJJQlJ5UVkKmSBZvCqwocJhR124bHbIqXC+QQsLrcWs
EcijjIeW5fI9DmqyHgyw59DhN2QNGz48vObMoPAeoQU00s2skGEqMA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-04-27T07:21:50Z"
mac: ENC[AES256_GCM,data:eYHOoJykNR4iNMIk8xXU/RfzLuddAaK0y0ZR3rLz30wlzg0Gx4aMzdjzOm/TbbI8qV7z3bWE1JxHpSt/SVEKRvAv9hjVRO3GBUKSTnFSo97qgmFc/fILVSMIsuMZWqO8IuV9MPfT0Mx5fEa4tUGOPZPSZoT11/YS3++sJp5GjSI=,iv:zMQkCpUOe2VvIxpQoFfHew8OiCxjmEtWhdMZvzZ2/AQ=,tag:EHo/0fKLpN/bfr0Ro1vKHQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.2
-----
This looks good to me...
3. Now I've created this little playbook to test decryption:
-----
---
- name: Create sops-encrypted private key
hosts: localhost
gather_facts: false
tasks:
- name: Load encrypted credentials
community.sops.load_vars:
file: /home/cs/git/linova/linova-gitops/ansible/inventories/test/group_vars/ansible_become_password.sops.yml
expressions: evaluate-on-load
- name: Show password
debug:
msg: "The password is {{ ansible_become_password }}"
-----
4. Wehn I run the playbook I get the following output:
-----
cs@d5421:~/git/linova/linova-gitops/ansible$ ansible-playbook playbooks/testsops.yml
[WARNING]: Unable to parse /home/cs/git/linova/linova-gitops/ansible/inventories/devel/inventory as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
PLAY [Create sops-encrypted private key]
*******************************************************************************************************************************************************************************************************
[WARNING]: Removed restricted key from module data: ansible_become_password = ansible
TASK [Load encrypted credentials]
**************************************************************************************************************************************************************************************************************
ok: [localhost]
TASK [Show password]
***************************************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! =>
msg: |-
The task includes an option with an undefined variable. The error was: 'ansible_become_password' is undefined
The error appears to be in '/home/cs/git/linova/linova-gitops/ansible/playbooks/testsops.yml': line 10, column 7, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: Show password
^ here
to retry, use: --limit @/home/cs/.ansible/retry-files/testsops.retry
PLAY RECAP
*************************************************************************************************************************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
cs@d5421:~/git/linova/linova-gitops/ansible$
-----
Somehow the decryption seems to work, which is fine. But then I have a
problem to use the variable with the decrypted value...
My questions are:
1. Am I going into the right direction and are my steps OK in general, or do
I follow a wrong way to handle our encrypted data with the plugin?
2. What am I doing wrong in the playbook above and how can I work with the
decrypted variable further on?
3. Is it OK to work with the ansible_becomme_password variable this way in
general or is it a totaly wrong aproach? I need to use
ansible_become_password because sudo without password is not possible on our
systems and we do not want to change this if it is not really necessary.
As said, I am relatively new to ansible, so I still do have many things to
learn. But solving the problem storing confidencial data in git is a central
task I'd like to solve and I do not like to use ansible vault because we are
planing to use sops also for other things and having one solution for de-
and encrypting data in git would be nice.
Cheers and thanks a lot for any help and hints,
Christian
I am relatively new to ansible and I want to use the sops collection to
decrypt some sensible data for our ansible playbooks / roles that we want to
store in a git repo. Unfortunatly things are not working as expected, which
might be because I do not understand all things corect. I'd would be great
if you can help me things sort out...
For test reasons and to understand how to work with sops and ansible I did
the following:
1. I've created a file
inventories/test/group_vars/ansible_become_password.sops.yml with the
following decrypted content:
-----
ansible_become_password: ansible
-----
2. I've encrypted the file with an age key which I have created before:
-----
$ export SOPS_AGE_KEY=AGE-SECRET-KEY-1S47MVM0HF2PDHDQJCNDS4DKERKYC934GGEF2RMHR5HZPS9SNRTLQRF27CG
$ sops -i --encrypt ansible_become_password.sops.yml
-----
After encryption the file looks the following:
-----
ansible_become_password: ENC[AES256_GCM,data:Zkn2s/bHGg==,iv:SCV9y/YXMpkDj1IE2qOn5trpUsIcxkVYAomF/xx7eUk=,tag:xLpdfJd11B8HozlzbBjG/Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1yh00zlvnk4397ndm0tx2q0ppvj8zrm70ze0nkesgglrwy40hnc6qdnldr3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXdEIzRHJydnA0T1NZYXFI
NmRTUGFpUkRmcXNnVmxiN01IbEtvN3pUL1FzCjNGcDA4bFBIcTFOUGtzcUtLb09p
U1JFR1NIVHpkcnhYQzRmUXZoY2FvTDAKLS0tIGlSeEVkK2loS3JRc0J4TmsxWlRz
cUd6K3RrcDh2UWtneUNqQzJJQlJ5UVkKmSBZvCqwocJhR124bHbIqXC+QQsLrcWs
EcijjIeW5fI9DmqyHgyw59DhN2QNGz48vObMoPAeoQU00s2skGEqMA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-04-27T07:21:50Z"
mac: ENC[AES256_GCM,data:eYHOoJykNR4iNMIk8xXU/RfzLuddAaK0y0ZR3rLz30wlzg0Gx4aMzdjzOm/TbbI8qV7z3bWE1JxHpSt/SVEKRvAv9hjVRO3GBUKSTnFSo97qgmFc/fILVSMIsuMZWqO8IuV9MPfT0Mx5fEa4tUGOPZPSZoT11/YS3++sJp5GjSI=,iv:zMQkCpUOe2VvIxpQoFfHew8OiCxjmEtWhdMZvzZ2/AQ=,tag:EHo/0fKLpN/bfr0Ro1vKHQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.2
-----
This looks good to me...
3. Now I've created this little playbook to test decryption:
-----
---
- name: Create sops-encrypted private key
hosts: localhost
gather_facts: false
tasks:
- name: Load encrypted credentials
community.sops.load_vars:
file: /home/cs/git/linova/linova-gitops/ansible/inventories/test/group_vars/ansible_become_password.sops.yml
expressions: evaluate-on-load
- name: Show password
debug:
msg: "The password is {{ ansible_become_password }}"
-----
4. Wehn I run the playbook I get the following output:
-----
cs@d5421:~/git/linova/linova-gitops/ansible$ ansible-playbook playbooks/testsops.yml
[WARNING]: Unable to parse /home/cs/git/linova/linova-gitops/ansible/inventories/devel/inventory as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
PLAY [Create sops-encrypted private key]
*******************************************************************************************************************************************************************************************************
[WARNING]: Removed restricted key from module data: ansible_become_password = ansible
TASK [Load encrypted credentials]
**************************************************************************************************************************************************************************************************************
ok: [localhost]
TASK [Show password]
***************************************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! =>
msg: |-
The task includes an option with an undefined variable. The error was: 'ansible_become_password' is undefined
The error appears to be in '/home/cs/git/linova/linova-gitops/ansible/playbooks/testsops.yml': line 10, column 7, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: Show password
^ here
to retry, use: --limit @/home/cs/.ansible/retry-files/testsops.retry
PLAY RECAP
*************************************************************************************************************************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
cs@d5421:~/git/linova/linova-gitops/ansible$
-----
Somehow the decryption seems to work, which is fine. But then I have a
problem to use the variable with the decrypted value...
My questions are:
1. Am I going into the right direction and are my steps OK in general, or do
I follow a wrong way to handle our encrypted data with the plugin?
2. What am I doing wrong in the playbook above and how can I work with the
decrypted variable further on?
3. Is it OK to work with the ansible_becomme_password variable this way in
general or is it a totaly wrong aproach? I need to use
ansible_become_password because sudo without password is not possible on our
systems and we do not want to change this if it is not really necessary.
As said, I am relatively new to ansible, so I still do have many things to
learn. But solving the problem storing confidencial data in git is a central
task I'd like to solve and I do not like to use ansible vault because we are
planing to use sops also for other things and having one solution for de-
and encrypting data in git would be nice.
Cheers and thanks a lot for any help and hints,
Christian
Felix Fontein
Apr 27, 2022, 12:16:00 PM4/27/22
to ansible...@googlegroups.com
Hi,
> I am relatively new to ansible and I want to use the sops collection
> to decrypt some sensible data for our ansible playbooks / roles that
> we want to store in a git repo. Unfortunatly things are not working
> as expected, which might be because I do not understand all things
> corect. I'd would be great if you can help me things sort out...
>
> For test reasons and to understand how to work with sops and ansible
> I did the following:
>
> 1. I've created a file
> inventories/test/group_vars/ansible_become_password.sops.yml with the
> following decrypted content:
> [...]
modules or action plugins to return certain values, in particular
ansible_become_password. Since you are asking the
community.sops.load_vars action to decrypt a file containing that
value, and ansible-core throws that value away, you cannot use it later
on.
(This is in part because community.sops.load_vars is kind of a hack.
Proper variable loading is not possible for actions that are not part
of ansible-core itself.)
> 1. Am I going into the right direction and are my steps OK in
> general, or do I follow a wrong way to handle our encrypted data with
> the plugin?
Instead of using community.sops.load_vars, you should use the
community.sops.sops vars plugin. That allows to load group and host
vars that are sops encrypted. To use this, you need to activate the
vars plugin as shown here:
https://github.com/ansible-collections/community.sops#vars-plugin
I think your inventory file is named correctly so that simply enabling
the community.sops.sops vars plugin should suffice in your case. With
it, simply this should already work:
----
---
- name: Create sops-encrypted private key
hosts: localhost
gather_facts: false
tasks:
Felix
> I am relatively new to ansible and I want to use the sops collection
> to decrypt some sensible data for our ansible playbooks / roles that
> we want to store in a git repo. Unfortunatly things are not working
> as expected, which might be because I do not understand all things
> corect. I'd would be great if you can help me things sort out...
>
> For test reasons and to understand how to work with sops and ansible
> I did the following:
>
> 1. I've created a file
> inventories/test/group_vars/ansible_become_password.sops.yml with the
> following decrypted content:
> This looks good to me...
>
> 3. Now I've created this little playbook to test decryption:
>
> -----
> ---
> - name: Create sops-encrypted private key
> hosts: localhost
> gather_facts: false
> tasks:
> - name: Load encrypted credentials
> community.sops.load_vars:
> file:
> /home/cs/git/linova/linova-gitops/ansible/inventories/test/group_vars/ansible_become_password.sops.yml
> expressions: evaluate-on-load
>
> - name: Show password
> debug:
> msg: "The password is {{ ansible_become_password }}"
> -----
> 4. Wehn I run the playbook I get the following output:
>
>
> 3. Now I've created this little playbook to test decryption:
>
> -----
> ---
> - name: Create sops-encrypted private key
> hosts: localhost
> gather_facts: false
> tasks:
> - name: Load encrypted credentials
> community.sops.load_vars:
> file:
> /home/cs/git/linova/linova-gitops/ansible/inventories/test/group_vars/ansible_become_password.sops.yml
> expressions: evaluate-on-load
>
> - name: Show password
> debug:
> msg: "The password is {{ ansible_become_password }}"
> -----
> 4. Wehn I run the playbook I get the following output:
>
> [WARNING]: Removed restricted key from module data:
> ansible_become_password = ansible
This is the relevant warning. Ansible-core apparently does not allow
> ansible_become_password = ansible
modules or action plugins to return certain values, in particular
ansible_become_password. Since you are asking the
community.sops.load_vars action to decrypt a file containing that
value, and ansible-core throws that value away, you cannot use it later
on.
(This is in part because community.sops.load_vars is kind of a hack.
Proper variable loading is not possible for actions that are not part
of ansible-core itself.)
> 1. Am I going into the right direction and are my steps OK in
> general, or do I follow a wrong way to handle our encrypted data with
> the plugin?
community.sops.sops vars plugin. That allows to load group and host
vars that are sops encrypted. To use this, you need to activate the
vars plugin as shown here:
https://github.com/ansible-collections/community.sops#vars-plugin
I think your inventory file is named correctly so that simply enabling
the community.sops.sops vars plugin should suffice in your case. With
it, simply this should already work:
----
---
- name: Create sops-encrypted private key
hosts: localhost
gather_facts: false
tasks:
- name: Show password
debug:
msg: "The password is {{ ansible_become_password }}"
-----
Best regards,
debug:
msg: "The password is {{ ansible_become_password }}"
-----
Felix
Reply all
Reply to author
Forward
0 new messages