Working With Several Ansible Vaults
I previously wrote about properly securing your local Ansible vault with strong encryption, but what if you have to work with several teams, each with a different vault, and not only that… you also have your own vault?
I needed a way to conveniently change the vault I’m using at any moment, but since ANSIBLE_VAULT_PASSWORD_FILE
doesn’t let you use flags, this script let’s you manage that.
Check the code here: ansible-vault-selector
This is what it does in a nutshell:
- keep several OpenPGP encrypted vault passwords in a vaults directory
- set any one of them to be the one you need to work with (the default)
- call vault.sh (place it in ~/bin, for instance) without any arguments arguments and get the vault
So how do you use it?
In ~/.ansible/vaults/
place for each vault:
- PGP encrypted files
- or clear text files (this is very INSECURE, please do not use for important stuff)
A particularly valuable hint is that these files can be symbolic links to other files, so you can consider these like the “labels”:
rui@ansible-control-node:~$ ls -laF ~/.ansible/vaults/
total 8
drwxrwxr-x. 2 rui rui 166 Sep 24 15:47 ./
drwx------. 8 rui rui 156 Sep 24 13:21 ../
lrwxrwxrwx. 1 rui rui 74 Sep 24 14:16 aap-devel -> /home/rui/git/aap/aap-controller-configuration/vault/vault-aap-devel.asc
lrwxrwxrwx. 1 rui rui 74 Sep 24 14:20 aap-prod -> /home/rui/git/aap/aap-controller-configuration/vault/vault-aap-prod.asc
lrwxrwxrwx. 1 rui rui 67 Sep 24 15:43 aap-prod-team1 -> /home/rui/git/aap/orgs/team1/vault/vault-aap-prod.asc
lrwxrwxrwx. 1 rui rui 67 Sep 24 15:43 aap-devel-team1 -> /home/rui/git/aap/orgs/team1/vault/vault-aap-devel.asc
lrwxrwxrwx. 1 rui rui 44 Sep 24 12:08 automation -> /etc/ansible/vaults/team-automation.asc
**lrwxrwxrwx. 1 rui rui 43 Sep 24 15:47 default -> /home/rui/.ansible/vaults/personal**
-rw-rw-r--. 1 rui rui 1016 Sep 24 11:59 personal <- DEFAULT IS POINTING TO THIS FILE
lrwxrwxrwx. 1 rui rui 47 Sep 24 12:17 sysadm -> /etc/ansible/vaults/team-sysadm.asc
-rw-rw-r--. 1 rui rui 4 Sep 24 12:47 insecure
rui@ansible-control-node:~$
As you can see from the ’ls’ above, the default vault is currently my personal vault, but if you type vault.sh -l
it will give you a more or less prettier output.
When I need to work with files prtected with Team1’s vault, I can just change the default.
As I have set ANSIBLE_VAULT_PASSWORD_FILE=~/bin/vault.sh I can just do…
rui@ansible-control-node:~$ $ANSIBLE_VAULT_PASSWORD_FILE -s aap-prod-team1
Changing default vault from 'personal' to 'aap-prod-team1'
rui@ansible-control-node:~$ ls -laF ~/.ansible/vaults/
total 8
drwxrwxr-x. 2 rui rui 166 Sep 24 15:47 ./
drwx------. 8 rui rui 156 Sep 24 13:21 ../
lrwxrwxrwx. 1 rui rui 74 Sep 24 14:16 aap-devel -> /home/rui/git/aap/aap-controller-configuration/vault/vault-aap-devel.asc
lrwxrwxrwx. 1 rui rui 74 Sep 24 14:20 aap-prod -> /home/rui/git/aap/aap-controller-configuration/vault/vault-aap-prod.asc
lrwxrwxrwx. 1 rui rui 67 Sep 24 15:43 aap-prod-team1 -> /home/rui/git/aap/orgs/team1/vault/vault-aap-prod.asc <- AND NOW POINTS TO THIS SYMLINK
lrwxrwxrwx. 1 rui rui 67 Sep 24 15:43 aap-devel-team1 -> /home/rui/git/aap/orgs/team1/vault/vault-aap-devel.asc
lrwxrwxrwx. 1 rui rui 44 Sep 24 12:08 automation -> /etc/ansible/vaults/team-automation.asc
lrwxrwxrwx. 1 rui rui 43 Sep 24 15:47 default -> /home/rui/.ansible/vaults/aap-prod-team1
-rw-rw-r--. 1 rui rui 1016 Sep 24 11:59 personal
lrwxrwxrwx. 1 rui rui 47 Sep 24 12:17 sysadm -> /etc/ansible/vaults/team-sysadm.asc
-rw-rw-r--. 1 rui rui 4 Sep 24 12:47 insecure
rui@ansible-control-node:~$
At any time you can tell it to give you another vault (only insecure is showing the real value, btw):
rui@ansible-control-node:~$ $ANSIBLE_VAULT_PASSWORD_FILE -s personal
Changing default vault from 'aap-prod-team1' to 'personal'
rui@ansible-control-node:~$ $ANSIBLE_VAULT_PASSWORD_FILE
yecOapOshitukshiacedagetyaitonJuggormUlregMocBupzyFlogDiUbBewabNiJim!twamitMowWajKupCowjovGettocmyHewyoccyldEwmetsodyangOak1queg
rui@ansible-control-node:~$ $ANSIBLE_VAULT_PASSWORD_FILE -v insecure
ola
rui@ansible-control-node:~$
I hope it’s as useful, or more, to you as it is to me.
Enjoy!