Ansible Vault

Hi

I am am trying to setup Ansible vault and running into errors.

In my /etc/ansible/group_vars folder I have muliple vars files for specific server groups in the host files. These vars files (winservers.yml) have the servers login details…for example:

ansible_ssh_user: Administrator
ansible_ssh_pass: PASSWORD
ansible_ssh_port: 5986
ansible_connection: winrm

What I want to do is use vault to not have those passwords visable in these vars files.

So what I did is create a vault.yml file (using ansible-vault) in the group_vars folder. I then added the variables in the file

What about:

ansible_ssh_pass: “{{ winservers_password }}”

?

Hi

Its definitely a step further!

But I get the following error now:

fatal: [10.10.3.168]: FAILED! => {“failed”: true, “msg”: “‘winservers_password’ is undefined”}

Its as if it doesn’t know where to look for the variable? Should it just know to ready the variable from the ‘vault.yml’ file?

can you create the directory /etc/ansible/group_vars folder/all and put everything in it instead of /etc/ansible/group_vars folder?

Hi Arbab

So currently I have /etc/ansible/group_vars and in that folder I have the following:

azureservers.yml vault.yml windows.yml winservers.yml

Do you want me to now create the following folder, /etc/ansible/group_vars/all
Or must it be a new group_vars folder structure, /etc/ansible/group_vars folder/all

And then copy those yml file into that ‘all’ folder?

just create the all directory inside the /etc/ansible/group_vars/
and move the azureservers.yml vault.yml windows.yml winservers.yml inside it.

“vault.yml” is not a magical filename, you still need to use a “use_vars:” task to pull in the contents of that file. If you have provided the vault password (either via --ask-vault or via a vault password file), then that file will be decrypted and the variables within it will be evaluated.

That complete contradicts the 'one file per group' scheme that is the
basis for the group_vars folder.

Just copying the vault.yml file into that folder or renaming it to
/etc/ansible/group_vars/all.yml would help IMHO.

Of course this is only sensible if the values are for all hosts,
otherwise creating an encrypted file e.g. azureservers.yml would be
the better option.

Johannes

you can also do this:

group_vars/<group_name>/vault.yml

You can have multiple files on a group named dir.

Of course, but I thought the files the OP mentioned were for different
groups...

Johannes

Hi Mark,

Bit late to this one but as well as using group_vars folders I’d suggest organizing things so that you aren’t trying to do this:

ansible_ssh_pass: {{ winservers_password }}

so you can avoid a vault lookup of a var. Instead I’d put the

ansible_ssh_pass: ACTUAL_SECRET_PASSWORD

into a separate file and vault that, then use the child groups mechanism to include the var in whatever groups you need.

Oh yeah, while you are orgainising things, might be worth switching to the new names e.g. ansible_user instead of ansible_ssh_user as I imagine the old names will get deprecated at some point.

HTH

Jon

Hi guys

Thank you so much for all your feedback. Getting a little confused as to what to do now though.

Do I create the following folder /etc/ansible/group_vars/all and just copy all the files into that folder? Will that solve the problem?

Jon - Im not exactly sure what you mean by, “into a separate file and vault that, then use the child groups mechanism to include the var in whatever groups you need.”

Can you not just have one vault file with all variables that you want secure, and then just refer to those variables in all your playbooks?

Cheers

Mark,

just give a try with the /etc/ansible/group_vars/all and don’t for to add the --ask-vault-pass to your playbook

Every item in group_vars/ is named to match a group name. These items can be either files (my_group, my_group.yml) or directories (my_group/). If it is a directory, then it works similarly to a .d/ directory where all of the files in that dir are imported.

These are equivilent structures:

1. One file:

group_vars/group1.yml

`