Hi All,
Is it possible to use ansible-vault with ad-hoc commands.
Use case: I have not setup ssh key and I want to use ping module on target machine.
normal way if we have setup sshkey or pass the text password
1: ansible <target_hostname> -m ping [if ssh key configured]
2: ansible <target_hostname> -m ping --extra-vars “ansible_user= ansible_password=”
But I want to do this with ansible-vault.
Is it possible ? any help would be appreciated.
Try something like…
ansible --vault-id ~/.vault -e @ yourvault.yml
This will expose the variables for your use, like in your inventory
ansible_become: true
ansible_become_method: su
ansible_become_user: root
ansible_become_pass: “{{ var_from_vault }}”
inventory example https://lathama.net/git/lathama/IaC/src/branch/master/Infrastructure/inventory.yml
How I do this with playbooks https://lathama.net/git/lathama/IaC/src/branch/master/Infrastructure
Do you have any problem using vault with ad-hoc??
Here is a example of how it works.
I have a vault secret file under group_vars like below. You have to use ansible-vault create.
Vault password:
Hi Mohan,
I tried running ad-hoc command as you suggested but it is not working
ansible <target_hostname> -m ping -u <targer_vm_username> --vault-password-file <secret_file>
where “secret_file” was created with password of <targer_vm_username>
ansible-vault create secret_file
cat secret_file
Output:
[WARNING]: Error in vault password file loading (default): A vault password must be specified to decrypt data
ERROR! A vault password must be specified to decrypt data
Am i doing something wrong?
You have to pass vault password to ansible command not vault file itself. Vault file stores your secrets/variables in encrypted format and vault password is used decrypt it. Pass vault password to ansible command.
You have read this doc: https://docs.ansible.com/ansible/2.7/user_guide/vault.html
Take a look at the below link as well:
https://serversforhackers.com/c/how-ansible-vault-works
https://zaiste.net/ansible_vault_storing_sensitive_data_as_encrypted_variables/
If your roles or playbooks reference encrypted variables, you need to have give Ansible the password to decrypt them. Prior Ansible 2.4, You can do this in two ways:
1). Using the --ask-vault-pass flag will instruct Ansible to ask for the vault password so it can decrypt the variable files correctly.
2). Using —vault-password-file flag will instruct Ansible to reference vault password from file. Ansible playbook use the password with in the reference file to decrypt vault file.
Since Ansible 2.4, there is way to provide a vault password is to use the --vault-id option as well. This allow vault files or vars that are encrypted with different passwords can be used at the same time. If your roles or playbooks reference encrypted variables, you need to have give Ansible the password to decrypt them. Prior Ansible 2.4, You can do this in two ways:
1). Using the --ask-vault-pass flag will instruct Ansible to ask for the vault password so it can decrypt the variable files correctly.
2). Using —vault-password-file flag will instruct Ansible to reference vault password from file. Ansible playbook use the password with in the reference file to decrypt vault file.
Since Ansible 2.4, there is way to provide a vault password is to use the --vault-id option as well. This allow vault files or vars that are encrypted with different passwords can be used at the same time. That what Andrew was mentioned on his post.
I have gone through the link shared by you but there is no where is it
using the vault for ad hoc command. It is using it for playbook.
Request you to please share a example of ping module as I did in
my previous email that would be helpful understanding it.
ad-hoc command:
ansible <hostname> -m ping <what_next?>
Please note sshkey is not setup on target host.
Thanks & Regards
Rajendra Rawat
I have already given you example. You can see If you closely read my first replay to this thread. Ansible vault works the same way for both ansible-playbook and ansible command. What ever documented for ansible-playbook also work with ansible ad hoc if you use vault. You have spend some time to learn it. Every thing documented well.
Here is the step by step example:
1). Create a directory group_vars
`
`
2). Create a variable file with your server user name and password. Please note this is the username and password which your ansible ad hoc command going to use to login to your target machine.
`
`
`
It is working for me now. thanks for the explaining it in detailed.
it is working for for me after creating the group into /etc/ansible/group_var
I have a doubt, can we achieve the same functionality without creating vault file with same group name which we given in inventory file into /etc/ansible/group_var/?
You can create a directory called ‘all’ under your playbook group_vars directory and use ‘all’ in your ad hoc command. This way the variables applied to all the host defined in myhostfile in my example.
/etc/ansible/group_vars
`-- all
`-- secrets.yml
Vault password:
localhost | SUCCESS => {
“changed”: false,
“gid”: 0,
“group”: “root”,
“mode”: “0755”,
“owner”: “root”,
“path”: “/tmp/hello”,
“secontext”: “unconfined_u:object_r:user_tmp_t:s0”,
“size”: 6,
“state”: “directory”,
“uid”: 0
}
Have a look at ansible inventory:
https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html
Thanks a lot Mohan for your help.