Vault and "dictionaries" - bug or feature request?
36 views
Skip to first unread message
Dan Linder
Oct 11, 2017, 10:24:57 PM10/11/17
to Ansible Project
I've have a dictionary variable setup that has accounts and passwords:
This variable it works as expected. When I update one of the passwords to a vaulted version like this:
...the ansible-playbook complains about it with this message:
I've tried variations such as removing the "|" and putting everything from "!vault" through "3732" on the same line (removing spaces), using a "<" instead of the "|", etc.
Am I doing it wrong? Is this a bug in the vault string handling that I should report? Or is this a "not yet implemented" variation on vault data that I should put in for a feature request?
password_list:
- { name: "user1",
password: "user1pwd"
}
- { name: "user2",
password: "user2pwd"
}
- { name: "user3",
password: "user3pwd"
}
This variable it works as expected. When I update one of the passwords to a vaulted version like this:
password_list:
- { name: "user1",
password: "user1pwd"
}
- { name: "user2",
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
66366265333266666432626431646631356664663262326535346265353939383239626634636331
6462666364303539336132346430346432333564346663300a623333613666333330626330643735
64613664383733333839313434303433663164363030383663336663656432613965663862656237
3631366664646332610a636230616334306232336263313139623264663338613538643163356239
3732
}
- { name: "user3",
password: "user3pwd"
}
...the ansible-playbook complains about it with this message:
The offending line appears to be:
- { name: "user2",
password: !vault |
^ here
exception type: <class 'yaml.scanner.ScannerError'>
exception: while scanning for the next token
found character that cannot start any token
in "<unicode string>", line 30, column 28
I've tried variations such as removing the "|" and putting everything from "!vault" through "3732" on the same line (removing spaces), using a "<" instead of the "|", etc.
Am I doing it wrong? Is this a bug in the vault string handling that I should report? Or is this a "not yet implemented" variation on vault data that I should put in for a feature request?
Dan Linder
Oct 16, 2017, 3:23:26 PM10/16/17
to Ansible Project
I've added an issue to the Ansible github project for this:
For what it's worth, if I convert the variable to a dictionary (instead of a list) and pass that through the list Jinja2 filter it works as a list:
---
- hosts: localhost
gather_facts: false
# Run like this:
# ./test01.yml --ask-vault-pass
# (Enter "test" for the password)
vars:
userlist:
user1:
password: "user1pwd"
user2:
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
62613930343865373434316635616466383633396539303135666565363539396662386636303763
3237393664306333333063363863366239323733336432350a396337393861363463613734306339
34393165343861363534656533383834353233323464626461393031623265373537353732356337
3634353837343363370a366531633331333462333261376633636662323131356366653566646239
3830
user3:
password: "user3pwd"
tasks:
- name: "Dict variable"
debug:
msg: "name: {{item.key}}, password: {{item.value.password}}"
with_dict: "{{ userlist }}"
- name: "List variable"
debug:
msg: "name: {{item}}, password: {{item.password}}"
with_items: "{{ userlist.values() | list }}"Reply all
Reply to author
Forward
0 new messages