Hello Everybody,
I want to create a callback plugin that emits log messages to an API. That API is secured by some Authorization Header. In Order to securely store the required API Key, I have put it into an encrypted file. The encryption was done using ansible-vault encrypt ./secrets/log-api.yml
.
To have an easy workflow I have added this to ansible.cfg
:
[defaults]
…
vault_password_file = ./pwd.sh
…
The question is: How can I access the plain text data of ./secrets/log-api.yml
within the plugin?
Ideally that could be done within ansible.cfg
like so:
my_login_plugin_api_key = "{{ lookup( … ) }}"
But from what I have heard so far, that is not possible, since there is simply no way to have decryption in that place, isn’t it?
So the question is, how should the decryption happen in the plugin? IMHO that involves those steps:
- access the value of
vault_password_file
- in best case the result of the the script - within the plugin - How to decrypt? Is there any Class / Object / Function for that?
My main Problem is that I am a bloody rookie on that topic and I cannot find any documentation.
THANKS for Help and Directions!