Accessing encrypted configuration values with a plugin

usr-cw31jOPI · October 25, 2024, 7:40am

Hello Everybody,

I want to create a callback plugin that emits log messages to an API. That API is secured by some Authorization Header. In Order to securely store the required API Key, I have put it into an encrypted file. The encryption was done using ansible-vault encrypt ./secrets/log-api.yml.

To have an easy workflow I have added this to ansible.cfg:

[defaults]
…
vault_password_file = ./pwd.sh
…

The question is: How can I access the plain text data of ./secrets/log-api.yml within the plugin?

Ideally that could be done within ansible.cfg like so:

my_login_plugin_api_key = "{{ lookup( … ) }}"

But from what I have heard so far, that is not possible, since there is simply no way to have decryption in that place, isn’t it?

So the question is, how should the decryption happen in the plugin? IMHO that involves those steps:

access the value of vault_password_file - in best case the result of the the script - within the plugin
How to decrypt? Is there any Class / Object / Function for that?

My main Problem is that I am a bloody rookie on that topic and I cannot find any documentation.

THANKS for Help and Directions!

bcoca · October 25, 2024, 7:03pm

plugin configuration does not support individual vaults or templating (yet), till then i recommend using an environment variable.

felixfontein · October 26, 2024, 9:49am

Many inventory plugins template specific inputs if they look like a template to allow using lookups etc., see for example community.general/plugins/inventory/linode.py at ccf7f62325d17d794a184ad2ab18e0ca3655b87b · ansible-collections/community.general · GitHub

usr-cw31jOPI · November 1, 2024, 5:32am

Thanks for clarification!

Does this mean that this is on the Roadmap? Is it already known when this should be there?

usr-cw31jOPI · November 1, 2024, 5:43am

Thanks a lot for this hint! As I take from that suggestion, the plugin itself is running the code needed to lookup the value, isn’t it? I there anywhere another example that would should the code for decryption using the vault?

bcoca · November 1, 2024, 2:49pm

Not on roadmap, just on my personal list.

To implement for specific fields in a plugin, just template (templating decrypts)

Topic		Replies	Views
References for using Ansible-Vault's APIs in a Python script Get Help ansible-vault	4	176	May 8, 2024
Facilitate ansible-vaulting of variables from within text editors Project Discussions ansible-vault , yaml	0	233	November 22, 2023
Custom filter plugin - access Ansible variables? Get Help playbook	7	183	February 20, 2024
Does `ansible-navigator` not support passing vault-password file? Get Help ansible-navigator	1	460	May 8, 2024
Vaulted credentials with AWS Dynamic Inventory? Get Help aws , ansible-vault	2	38	September 30, 2024

Accessing encrypted configuration values with a plugin

Hello Everybody,

Related topics