Is there a task/module to create a vaulted file?

Archives Ansible Project
1

Hii

In one of my playbooks there is a task that is creating a token through an API.
As the next task, I would like to store that token somewhere in my vars hierarchy.
If it were a plain text variable that would be easy.

But I don’t seem to be able to safe a vaulted file with a task.

One approach is with the pipe lookup and ansible-vault encrypt (seems a big ugly/unsafe):

  • name: save token

ansible.builtin.copy:
content: “{{ lookup(‘ansible.builtin.pipe’, ‘echo ’ ~ token|quote ~ ’ ansible-vault encrypt’) }}”
dest: /tmp/out1
mode: 0600

This seems to work, and because ansible.cfg contains the right information (vault_identity_list, vault_encrypt_identity) the encrypted content looks good, when I’m debugging.
But the actual file contents are plain text again. It seems the copy module decrypts the encrypted content again? How can I force the content to NOT be decrypted?

Another approach is the vault filter, which seems to be a bit cleaner. I thought this would do the trick:

  • name: save token

ansible.builtin.copy:
content: “{{ token | ansible.builtin.vault }}”
dest: /tmp/out2
mode: 0600

But that didn’t work, the filter insists on an actual secret value. I then must do a separate lookup for the ansible vault password. But the vault password file can also be an executable that sends the secret to stdout. I don’t want to have to implement that logic myself.

Is there a way for the ansible.builtin.vault filter to use the vault_identity_list and vault_encrypt_identity that are in ansible.cfg?

To see if it worked at all, i just hard coded the actual secret like this:

  • name: save token

ansible.builtin.copy:
content: “{{ token | ansible.builtin.vault(‘hackme’) }}”
dest: /tmp/out2
mode: 0600

Just like the other example, this works but the content is again decrypted by the copy module.

Any hints are appreciated :slight_smile:

tnx

Dick

2

This seems to work, and because ansible.cfg contains the right information (vault_identity_list, vault_encrypt_identity) the encrypted content looks good, when I’m debugging.
But the actual file contents are plain text again. It seems the copy module decrypts the encrypted content again? How can I force the content to NOT be decrypted?

To quickly answer my own question: there is a decrypt parameter: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-decrypt
I had never noticed that :clown_face:

So the first task does work now.

Still my other question remains:

3

Unable to test from current location but do you need to delegate_to for this?

4

Yes, I didn’t explicitly mention it, but I’m running all the tasks from a dedicated “local” play with these settings:

  • name: API tasks
    hosts: foo_hosts

This is an API-only play, so we run it locally - not from the actual hosts

connection: local
become: false
gather_facts: false
tags: foo,always
run_once: true

tasks:

  • name: blah
5

I saw https://github.com/ansible/ansible/pull/79864 which is related. I am interested in this as it sounds useful to many. I wildly assume the solution is obvious. Maybe drop the token into a local dir and a later task can encrypt any files found in said dir and copy them to the vars dir of your choice.