Sunday, May 3, 2020

Ansible Vault

Ansible Vault allows users to encrypt values and data structures within Ansible, using ansible vault you can secure any sensitive data that is necessary to successfully run Ansible plays and keep it secure it from publicly visible, like passwords or private keys. Ansible automatically decrypts vault-encrypted content at runtime when the key is provided.

Lets see how we can use ANSIBLE VAULT, will demonstrate how to use Ansible Vault, i will try to explain some common ansible vault operations.


[ansible@ansiblemaster ~]$ ansible-playbook motd.yml

PLAY [playbook to check filesystem.] **********************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************
ok: [db1]
ok: [web1]

TASK [command] ********************************************************************************************************************************************************
changed: [db1]
changed: [web1]

TASK [filesystem status] **********************************************************************************************************************************************
ok: [web1] => {
    "msg": [
        "This system is web1 server of  mylinuxfriends.blogspot.com ",
        "Today date is : 2020-04-26",
        "",
        "You can drop email to anuj@mylinuxfriends.blogspot.com in case any query.",
        "Thanks......!"
    ]
}
ok: [db1] => {
    "msg": [
        "This server has Total memory: 1014 MBs.",
        "free memory on this system is : 760 MBs.",
        "",
        "Note: if you see any memory issue email: ansible@localhost"
    ]
}

PLAY RECAP ************************************************************************************************************************************************************
db1                        : ok=3    changed=1    unreachable=0    failed=0  
web1                       : ok=3    changed=1    unreachable=0    failed=0  

[ansible@ansiblemaster ~]$
[ansible@ansiblemaster ~]$
[ansible@ansiblemaster ~]$ ansible-vault encrypt motd.yml
New Vault password:
Confirm New Vault password:
Encryption successful
[ansible@ansiblemaster ~]$
[ansible@ansiblemaster ~]$
[ansible@ansiblemaster ~]$ cat motd.yml
$ANSIBLE_VAULT;1.1;AES256
35623139363930313035646263653432353362346238663034323335666430633263316131383534
6638646230666534303966303736353231636139353665660a353939353265333037303265636636
38663839333831373836653832653763393161333833333132353837636565633461623462666631
3234666465633365620a633335663866653261663730656161336237393833336166326632373363
61333464643039393462623636393065633036373839653435333837613737336564383836353866
37383264653538643335633032356337623866356230303965303064626662353431653638633132
34336566636262326638646461306361363166366361363032623934326135323031366163373431
36633431653965336437373138336361373261303139363736316362656265313766356631343565
33333539386430626135323536633430613166326365303639656335306464643733643634353763
31313736633864653137343739313637323932393031646537393762336433616237633362643236
63663866333462373566343738363338383930656635306531356431383730303234636265313766
65316339356261636232643132613131393030333630316464373332626363663566653339336537
65313834373130343063396463373437363766373330653832346434316362366366336235333132
65353961653537313637386439323061623238626662373562353030366261383136643338393364
32623936613133316433333964386165366537303132613830306433326463346335303762396633
35373961616639303035613565323039353632326562383631623438653731613962633438343165
32633634653566623534363666616138666539336164363038303466633839326230633861383631
63323132353537373930366133633331633738616137303165633335323334366263323065383836
37373662343138653731323266363162646131663964653131666238613137663031373731326338
38343034663934356365653763666435313861393265643763623762306166383533643237376261
34616363386434393032313561373438356637323638613638356332623430636434346662316361
64333831333634343330633466323031316664616435313637663564303438373363346661336562
61616162613937653838356332663834346332363061376666623537333931383033303662663336
61323134383235643339373238363739343639663562363731333365363538323436336433316135
34643535306431383631663736306330323462346333353837386436376634313635343736316139
61323561636262666235333839313565333563623466333834633934326631626565303931326464
61366266306634313462616432363638363766626636343262616439386237326539613064663265
61653835333638396239346635316533626361336436383532653132326633623938326335393435
6662
[ansible@ansiblemaster ~]$
[ansible@ansiblemaster ~]$ ansible-vault view motd.yml
Vault password:                                              <============= lets give incorrect password, and see it should give error for Decryption fail
ERROR! Decryption failed (no vault secrets would found that could decrypt) for motd.yml



==================================
Viewing an encrypted file
==================================

[ansible@ansiblemaster ~]$ ansible-vault view motd.yml    <=========== now give correct password, that we have given at "ansible-vault encrypt motd.yml"
Vault password:
---
- name: playbook to check filesystem.
  hosts: all
  tasks:
    - name:
      command: cat '/etc/motd'
      register: fs_out
      when:
        - (ansible_os_family == "RedHat" and ansible_distribution_major_version == "7")
        - ansible_distribution == "CentOS"
#     when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "7")
    - name: "filesystem status"
      debug:
        msg: "{{ fs_out.stdout.split('\n') }}"



======================================================================================
You can run you playbook with two method

 1.)running a playbook using valut password at run time by using --ask-vault-pass
2.) decrypt your playbook and then run
======================================================================================


******run playbook by METHOD-1 that is  --ask-pass

[ansible@ansiblemaster ~]$ ansible-playbook motd.yml --ask-vault-pass
Vault password:

PLAY [playbook to check filesystem.] **********************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************
ok: [web1]
ok: [db1]

TASK [command] ********************************************************************************************************************************************************
changed: [db1]
changed: [web1]

TASK [filesystem status] **********************************************************************************************************************************************
ok: [web1] => {
    "msg": [
        "This system is web1 server of  mylinuxfriends.blogspot.com ",
        "Today date is : 2020-04-26",
        "",
        "You can drop email to anuj@mylinuxfriends.blogspot.com in case any query.",
        "Thanks......!"
    ]
}
ok: [db1] => {
    "msg": [
        "This server has Total memory: 1014 MBs.",
        "free memory on this system is : 760 MBs.",
        "",
        "Note: if you see any memory issue email: ansible@localhost"
    ]
}

PLAY RECAP ************************************************************************************************************************************************************
db1                        : ok=3    changed=1    unreachable=0    failed=0  
web1                       : ok=3    changed=1    unreachable=0    failed=0  

[ansible@ansiblemaster ~]$


[ansible@ansiblemaster ~]$


********* Run playbook with METHOD-2: Decrypting motd.yml playbook and then run



[ansible@ansiblemaster ~]$ ansible-vault decrypt motd.yml
Vault password:
Decryption successful
[ansible@ansiblemaster ~]$ less motd.yml
[ansible@ansiblemaster ~]$ cat motd.yml
---
- name: playbook to check filesystem.
  hosts: all
  tasks:
    - name:
      command: cat '/etc/motd'
      register: fs_out
      when:
        - (ansible_os_family == "RedHat" and ansible_distribution_major_version == "7")
        - ansible_distribution == "CentOS"
#     when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "7")
    - name: "filesystem status"
      debug:
        msg: "{{ fs_out.stdout.split('\n') }}"
[ansible@ansiblemaster ~]$ 



[ansible@ansiblemaster ~]$ ansible-playbook motd.yml

PLAY [playbook to check filesystem.] **********************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************
ok: [db1]
ok: [web1]

TASK [command] ********************************************************************************************************************************************************
changed: [db1]
changed: [web1]

TASK [filesystem status] **********************************************************************************************************************************************
ok: [web1] => {
    "msg": [
        "This system is web1 server of  mylinuxfriends.blogspot.com ",
        "Today date is : 2020-04-26",
        "",
        "You can drop email to anuj@mylinuxfriends.blogspot.com in case any query.",
        "Thanks......!"
    ]
}
ok: [db1] => {
    "msg": [
        "This server has Total memory: 1014 MBs.",
        "free memory on this system is : 760 MBs.",
        "",
        "Note: if you see any memory issue email: ansible@localhost"
    ]
}

PLAY RECAP ************************************************************************************************************************************************************
db1                        : ok=3    changed=1    unreachable=0    failed=0  
web1                       : ok=3    changed=1    unreachable=0    failed=0  

[ansible@ansiblemaster ~]$






==========================================================
How to edit file encrypted with ansible-vault password
==========================================================
[ansible@ansiblemaster ~]$
[ansible@ansiblemaster ~]$ ansible-vault edit motd.yml
Vault password:
[ansible@ansiblemaster ~]$


==========================================================
How to change vault password ansible-vault using ansible-vault rekey
==========================================================

[ansible@ansiblemaster ~]$ ansible-vault rekey motd.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful

[ansible@ansiblemaster ~]$ ansible-vault view motd.yml
Vault password:           <======let`s give old password & that should not work
ERROR! Decryption failed (no vault secrets would found that could decrypt) for motd.yml
[ansible@ansiblemaster ~]$
[ansible@ansiblemaster ~]$ ansible-vault view motd.yml  <===Now give new password
Vault password:
---
- name: playbook to check filesystem.
  hosts: all
  tasks:
    - name:
      command: cat '/etc/motd'
      register: fs_out
      when:
        - (ansible_os_family == "RedHat" and ansible_distribution_major_version == "7")
        - ansible_distribution == "CentOS"
#     when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "7")
    - name: "filesystem status"
      debug:
        msg: "{{ fs_out.stdout.split('\n') }}"
[ansible@ansiblemaster ~]$
[ansible@ansiblemaster ~]$

===================================================
Storing decrypted output is somefile which we can use as needed
===================================================

[ansible@ansiblemaster ~]$ ansible-vault decrypt motd.yml --output=motd.yml-decrypted
Vault password:
Decryption successful
[ansible@ansiblemaster ~]$

[ansible@ansiblemaster ~]$ cat motd.yml-decrypted
---
- name: playbook to check filesystem.
  hosts: all
  tasks:
    - name:
      command: cat '/etc/motd'
      register: fs_out
      when:
        - (ansible_os_family == "RedHat" and ansible_distribution_major_version == "7")
        - ansible_distribution == "CentOS"
#     when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "7")
    - name: "filesystem status"
      debug:
        msg: "{{ fs_out.stdout.split('\n') }}"
[ansible@ansiblemaster ~]$
[ansible@ansiblemaster ~]$







at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

kubernetes Pod Scheduling

 ===================   Deployment ================= 1.) Deployment without any nodeName or nodeSelector, pod will spread among all of the av...

  • # Ansible module and some advance options
    # Ansible module and some advance options Modules: Command: This module help you to execute commands to the target host, it may be comma...
  • (no title)
    # Using Facts, in ansible playbook [root@ansimaster:~/ansiroot/playbook]# vi playbook1_remote_facts.yml ---  - name: Playbook that wil...
  • (no title)
    Create user using vault [ansible@ansiblemaster playbooks]$ cat inventory [webserver] web1.mylinuxfriends.blogspot.com [dbserver]...