Quick question, please.
A playbook. for each host generates a random password, sets it as root password on the host and stores, “:< pwd>” in local Ansible vault file.
How can I add new entries to the vault without creating a decrypted file ON DISK.
Ideally, I’d pipe the output of ‘ansible-vault decrypt’ output into a script that adds new data and then pipes it back to ansible-vault encrypt, so that the plain text only exists in memory.
Thanks
Short answer
now in filter:
https://github.com/ansible/ansible/pull/74998
Thanks for taking the time.
This is what I have:
What’s missing is the code to do the actions in capitals.
tasks:
name: generate random password.
delegate_to: localhost
command: “/home/ec2-user/genpwd.py”
register: pwd
name: Update root user’s password
become: true
user:
name: root
password: “{{ pwd.stdout | password_hash(‘sha512’)}}”
<IF SUCCESSFUL ADD ‘:’ TO DICTIONARY>
post_tasks:
delegate_to: localhost
<DECRYPT VAULT TO MEMORY, APPEND DICT AND ENCRYPT BACK TO VAULT>
Many thanks.