Hi Experts,
I have prepared an Ansible Playbook. However I want to encrypt the plabook in such a way that the end user to whom I’ll be providing the playbook will have only the privilege to run the playbook and not to view its contents. With Vault I can encrypt this but again to run the playbook I need to provide the vault password. With this password the code can automatically be decrypted very easily. Is there any way to achieve this.
Thanks,
Sandeep
Very good question, I also wonder if this is indeed possible?
Kind Regards,
Ameya Agashe
Please let me know for any updates.
Instead of providing the vault password allow execution of a vault
script that will query/generate the password after it verifies it is
being called from ansible-playbook (so user cannot call directly).
hi
Could you tell us what the rationale is for such a requirement?
I can understand some sort of integrity checks to make sure content hasn’t been tampered with or isn’t damaged.
But it sounds counter intuitive to run something that has been deliberately obfuscated.
So please enlighten us.
Dick
I would make the roles/playbook as modular as possible then have each user pass the necessary variables. If you want others to use credentials but, not see them then I suggest you use awx/tower.