Inject vault password with plugin

FERREIRA_CHRISTOPHE · May 24, 2020, 11:53am

Hello it's possible to inject vault password with custom plugin vars or action ? I would like put password in vault hashicorp and i would't put script in host because is executable by user

I have try loader.set_vault_secrets(vault_secrets) but not work

Dick_Visser · May 24, 2020, 5:02pm

Hi, im not entirely sure what you mean but you may want to look at
https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html

FERREIRA_CHRISTOPHE · May 25, 2020, 12:27am

Hello no it's ansible vault password , i thinks can't use lookup for this

Only option i know is ask-vault-pass environment vars and vault password file

Kai_Stian_Olstad · June 14, 2020, 6:01pm

And scripts
https://github.com/ansible/ansible/blob/stable-2.9/contrib/vault/

david · March 17, 2021, 12:17am

Hi,

I have hit the same issue. It would be really nice to be able to inject an ‘ansible vault’ password during a play.
Whilst I know this can be provided on the command line, this ultimately means writing a wrapper script to obtain the secret and then provide it on the command line to ansible.
The option of providing a script (or executable) as the vault password does not help either, as parameters cannot be provided to the script to elicit the desired secret, leaving the user to have to generate a script file from a template in order to be able to feed in the specifics about the secret required.
The ‘include_vars’ task and ‘lookup’ function recognise that a file is an Ansible Vault and try to decrypt it. This means that there is opportunity in a playbook to insert/inject the secret to unlock the file. This secret could be obtained from any secret management system immediately enabling integration within Ansible from that system.

I have looked through the code and may come back to it in the coming weeks to see if I could hit on an answer but hoping that someone who knows what they doing can respond/take a look.

vbotka · March 17, 2021, 10:26am

... inject an 'ansible vault' password during a play.

FWIW, below is the scenario how to put the vault password into a file
only when you need it. Given the vault password is stored in
*passwordstore*, create two templates, e.g.

> cat dummy_vault_passwd.j2
dummy_vault_passwd

> cat my_vault_passwd.j2
{{ lookup('passwordstore', 'vault/admin') }}

and configure *vault_password_file*

> grep vault ansible.cfg
vault_password_file = $PWD/my_vault_passwd

Create "dummy" file $PWD/my_vault_passwd

> cat my_vault_passwd
dummy_vault_passwd

Then the playbook below put the vault password into the file only in
the section when it is needed

  - hosts: localhost
    tasks:
      - template:
          dest: "{{ playbook_dir }}/my_vault_passwd"
          src: my_vault_passwd.j2
          mode: "0600"
      - include_vars: vault.yml
      - template:
          dest: "{{ playbook_dir }}/my_vault_passwd"
          src: dummy_vault_passwd.j2
          mode: "0600"

Topic		Replies	Views
Can I specify ansible-password-vault-file in a playbook before running an include_vars ? Ansible Project	1	0	May 15, 2020
Accessing encrypted configuration values with a plugin Get Help config , plugin , ansible-vault	5	37	November 1, 2024
Access Vault Pass from inside dynamic inventory Ansible Project	4	2	July 17, 2023
encryption Ansible Project	3	0	February 17, 2015
ansible vault and lookups module for password hashes Ansible Project	1	0	December 2, 2016

Inject vault password with plugin

Related topics