李振东的blog

Ansible Vault 加密

Ansible Vault概述

Ansible Vault做为Ansible的一项新功能，可将例如：password，keys等敏感数据文件进行加密处理，而非存放在明文的playbook中或roles中。

Ansible Vault实战

Ansible 加密使用的是ansible-vault命令进行加密，语法示例

[root@m01 ~]# ansible-vault --help
Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]

加密一个文件

ansible-vault encrypt include.yml

[root@li ~]#cat 1.yaml 
- hosts: all
  vars:
    - http_port: 8080
  tasks:
    - name: Deploy configuration file
      template:
        src: template.j2
        dest: /tmp/my_config.conf

[root@li ~]#ansible-vault encrypt 1.yaml
New Vault password: 
Confirm New Vault password: 
Encryption successful

[root@li ~]#cat 1.yaml 
$ANSIBLE_VAULT;1.1;AES256
37363062623530656239353432303034346461353662393230343932346537313935306439653532
3661626334613464346632336531653365303838623236320a646665393537623232363663636637
65366136656133626330613465336535316163613964326433363766316532336662376264383465
3164303936383865620a333264663732373562653139353936633135616436326437356335323330
62663139626439616265383339306365313837643233343835336632333035323838333730343738
65306338633033643932633831663962656234396366346666356339343634666264646337353830
34313433336239306137393265666538656134326234623263323735333238363065653231316463
32316264376330373366343764393934633631393562303065653562643963356535353739376161
36306166623966376132343664623731366532656134383862623366353931663734656133313231
64633136643835343233373832303637336337373938326266656635396161666335326161613362
39646332373066393532323838636330303561623637313331303066386237393538346333386437
65396334333634393333336231633563356235636330373734343131336535376362373866663137
6662

[root@li ~]# ansible-vault view 1.yaml
Vault password: 
- hosts: all
  vars:
    - http_port: 8080
  tasks:
    - name: Deploy configuration file
      template:
        src: template.j2
        dest: /tmp/my_config.conf

修改加密的文件

[root@li ~]#ansible-vault edit 1.yaml 
Vault password:

修改密码

[root@m01 m01]# ansible-vault rekey include.yml 
Vault password: 
New Vault password: 
Confirm New Vault password: 
Rekey successful

执行加密的playbook

echo "1" > ansible.passwd
ansible-playbook 1.yml  --vault-password-file=ansible.passwd

[root@li ~]#ansible-playbook 1.yaml 
ERROR! Attempting to decrypt but no vault secrets found
[root@li ~]#echo 1 > ansible.passwd
[root@li ~]#ansible-playbook 1.yaml --vault-password-file=ansible.passwd
PLAY [all] ********************************************************

TASK [Gathering Facts] ********************************************