Ansible inventory as json and inline vaulted data does not work (works with yaml inventory)

Get Help
1
  • I try to create a inventory that contains a vaulted variable *

this works in yaml:

---
test:
  hosts:
    testhost:
  vars:
    testvar: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          39653934316465353339396430333437623966376437636534626161653836636461323434356333
          3037666435373431333330393661653665356636646535350a613730323864343737343135396230
          30303939366463643864363535323634636631323635363235363732663439373764656135376163         6161636337366165330a353534616538386633356566303231333963383631656337633736396563
          6438

then I can do:

ansible -m debug -a var=testvar testhost -i test.yaml
testhost | SUCCESS => {
    "testvar": "\n"
}

the newline is the encrypted secret

But if I do the same with a json style inventory, then it does not work:

{
  "help": {
    "hosts": {
      "testhost": null
    },
    "vars": {
      "testvar": "$ANSIBLE_VAULT;1.1;AES256\n39653934316465353339396430333437623966376437636534626161653836636461323434356333\n3037666435373431333330393661653665356636646535350a613730323864343737343135396230\n30303939366463643864363535323634636631323635363235363732663439373764656135376163\n6161636337366165330a353534616538386633356566303231333963383631656337633736396563\n6438\n"
    }
  }
}

then it looks like this:

ansible -m debug -a var=testvar testhost -i test.json
testhost | SUCCESS => {
    "testvar": "$ANSIBLE_VAULT;1.1;AES256\n39653934316465353339396430333437623966376437636534626161653836636461323434356333\n3037666435373431333330393661653665356636646535350a613730323864343737343135396230\n30303939366463643864363535323634636631323635363235363732663439373764656135376163\n6161636337366165330a353534616538386633356566303231333963383631656337633736396563\n6438\n"
}

I also tried with a leasing !vault | inside the string value (similar to yaml), but that does not work either.

Is there a way to encode the vaulted value in a json inventory similar to what I can do with yaml inventory?

Background: actually I need this for a dynamic inventory script that is supposed to produce only json. But that is the next step…

2

I took your inventory and converted it to JSON with

$ ansible-inventory -i inventory.yml --list > inventory.json

looking at the output, I see:

{
    "_meta": {
        "hostvars": {
            "testhost": {
                "testvar": {
                    "__ansible_vault": "$ANSIBLE_VAULT;1.1;AES256\n61386262306638626661646433356262656365333961313461393733353265336432313232623735\n6538343130366235363136366432316331326430663331310a343234626534636666356531636662\n63346235343236386364313735366433626166373438626632303464373438386665373332363431\n6265656631656663650a316364373532393831626137303066613335393036643530646635353139\n3263\n"
                }
            }
        }
    },
...

which looks reasonable. Wrapping that into an inventory.sh which simply outputs the JSON file (to simulate dynamic inventory) appears to produce the desired effect:

$ ansible -i inventory.sh testhost -m debug -a var=testvar
testhost | SUCCESS => {
    "testvar": "hello world"
}

(the above vault is encrypted with the password aa.)

BTW, I’ve no idea where that is documented; on a hunch I used ansible-inventory for conversion. The only decent mention I’ve found is in this ticket.

2 Likes
3

that did the trick - now I need to get this into my dynamic inventory!

Thanks a lot!

Also thanks with the hint of using ansible-inventory!

1 Like
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.