comments inline…
Can I specify the vault password once i’m already in the playbook (but obviously before I’ve tried to read from the vault file)?
Not in 2.3.
Sort of in 2.4. But more importantly, you may not need to since 2.4 will have some support for multiple vaults/vault passwords per
invocation.
Right now i have a few different text files containing different passwords for the vaults for different instances of our app. Once I’ve figured out what instance I need to work with, I’d like to load the contents of that file as the password so I can load variables from the vault files. Otherwise I need to provide the vault file on the CLI every time (kind-of a pain to type out a lot), and I can’t deal with multiple vaults with different passwords in the same playbook.
The different vault files need to have different passwords (not all developers should have access to variables for all instances).
In 2.4, you can use multiple vault passwords.
You can have multiple vaulted files and each file can have a different vault password (multiple vaulted files can also share the same password).
Yaml files can included embedded vaulted variables with each embedded vault using a different password (in the same file, or spread across multiple yaml files)
The docs are just getting started, but https://groups.google.com/d/msg/ansible-project/qG4n_Psys44/675CBpjVAAAJ has an overview and some examples if you want to try it.
I would appreciate any feedback!
With 2.4, for you use case, I would create a vault password file for each secret. For example:
$ ls *_vault_secret
dev_vault_secret
stage_vault_secret
prod_vault_secret
admin_vault_secret
Then I would encrypt each playbook file that needs encryption with the approriate vault-id.
For ex, if there is a set of db_password files to deploy to app servers:
files/dev_db_password
files/stage_db_password
files/prod_db_password
files/admin_db_password
ansible-vault encrypt --vault-id dev@dev_vault_secret files/dev_db_password
ansible-vault encrypt --vault-id stage@stage_vault_secret files/stage_db_password
ansible-vault encrypt --vault-id prod@prod_vault_secret files/prod_db_password
ansible-vault encrypt --vault-id admin@admin_vault_secret files/admin_db_password
the ‘–vault-id admin@admin_vault_secret’ means 'use the vault-id “admin” and its password from “admin_vault_secret”
To run ‘dev_site.yml’ with the dev and stage secrets:
ansible-playbook --vault-id dev@dev_vault_secret --vault-id stage@stage_vault_secret dev_site.yml
dev_db_password will be decrypted with the ‘dev’ vault-id (the password from dev_vault_secret) etc.
The admins could use:
ansible-playbook --vault-id admin@admin_vault_secret --vault-id stage@stage_vault_secret stage_site_db_truncate.yml
[looking at your example, I see that it will be useful to be able to specify a list of vault ids in ansible.cfg. Currently, devel/ code can
use the existing vault_password_file config to specify a single default vault id, but I’ll try to get something like a ‘ansible_vault_id_list’
config variable added as well]
Note that with default config, if you provide a vault-id that is not used or fails to decrypt something, that doesn’t cause a failure as long as some other vault-id (or --vault-password-file or --ask-vault-pass does). ie, you can provide extra unused vault-ids on the cli.
At the moment, I have vault_password_file
in ansible.cfg
pointing to a symlink that points to the actual password file. I have tried changing that symlink to point to the correct password via a playbook task before accessing the desired vault, but this doesn’t seem to work - my guess is ansible-playbook
reads the value into memory at boot and not from the file when it’s needed.
At the moment (in 2.3 and devel), the vault password[s] are loaded when the cli starts up[1], before the playbook starts running (and before loading any vault encrypted files as you mentioned). So changing the symlink as you describe won’t work.
But, they aren’t used until some vault content needs it. ie, if a playbook folder includes a file vault encrypted with the ‘dev’ vault-id and password, but running the playbook doesn’t need to load that file, then you do not need to provide the ‘dev’ vault-id/password.
If the playbook does load a vault encrypted file and needs a vault-id/secret that isnt provided, then that will cause a vault error.
[1] The code in devel/ branch currently will try to load the password at startup, but the internal api is designed to let it do that on demand in future versions. Thats not enabled yet mainly because of UXD issues and complexities of prompting users across ansible worker processes. But the non-interactive cases (ie, loading from a vault password file) could be updated to lazy load the password files pretty easily. If the 2.4 features look useful and that seems like something worth pursuing, let me know.