Skip to content

Instantly share code, notes, and snippets.

@wybczu

wybczu/README.md

Last active September 18, 2018 16:29
Show Gist options
  • Save wybczu/d43d4a8f8949ac0afc9ea4b901a70b99 to your computer and use it in GitHub Desktop.
Save wybczu/d43d4a8f8949ac0afc9ea4b901a70b99 to your computer and use it in GitHub Desktop.
Download ZIP
Ansible Vault Single Encrypted Variable
Raw
README.md

Encrypting a variable

$ ansible-vault encrypt_string --stdin-name 'secret_variable'

Note: Somtimes you need to press Ctrl+d two times - do not press enter cause it will add a new line to you secret :)

You can also use a wrapper script:

$ echo -n "put your secret here" | ansible-vault encrypt_string --stdin-name 'secret_variable'

Decrypting a variable

Run the following command in your shell.

$ cat | sed -e '/^$/d;s/^[ \t]*//g' | ansible-vault decrypt

Then paste you encrypted string (without !vault | an without the variable name) and press Ctrl+D.

Decrypting all veriables at once

$ python query-group-vars.py path/to/vars-file.yml
Raw
query-group-vars.py
#!/usr/bin/env python
# Copyright 2018 Lukasz Szczesny
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import argparse
import collections
import json
import jmespath
import yaml
from ansible import constants as C
from ansible.cli import CLI
from ansible.module_utils.six import PY3
from ansible.parsing.dataloader import DataLoader
from ansible.parsing.yaml.dumper import AnsibleDumper
from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode
from ansible.parsing.yaml.objects import AnsibleUnicode
def dump_vars_file(filename):
def represent_vault_encrypted_unicodea(self, data):
plaintext = data.vault.decrypt(data._ciphertext).decode()
if "\n" in plaintext:
return self.represent_scalar(u'tag:yaml.org,2002:str', plaintext,
style='|')
if PY3:
return self.represent_str(plaintext)
else:
return self.represent_unicode(plaintext)
# we want to decrupt all the data so we have to replace
# AnsibleVaultEncryptedUnicode representer
AnsibleDumper.add_representer(
AnsibleVaultEncryptedUnicode,
represent_vault_encrypted_unicodea,
)
loader = DataLoader()
if getattr(CLI, '_play_prereqs', False):
vault_secrets = CLI.setup_vault_secrets(loader,
vault_ids=C.DEFAULT_VAULT_IDENTITY_LIST,
vault_password_files=[C.DEFAULT_VAULT_PASSWORD_FILE])
loader.set_vault_secrets(vault_secrets)
else:
vault_password = CLI.read_vault_password_file(C.DEFAULT_VAULT_PASSWORD_FILE, loader)
loader.set_vault_password(vault_password)
return loader.load_from_file(filename)
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--format', '-f', default='yaml', choices=['yaml',
'json',
'string'],
help='Output format')
parser.add_argument('--query', '-q', default='.', required=True,
help='Execute a JMESPath on the results')
parser.add_argument('filename', help='Group vars file to query')
args = parser.parse_args()
result = jmespath.search(args.query, dump_vars_file(args.filename),
jmespath.Options(dict_cls=collections.OrderedDict))
if args.format == 'json':
print(json.dumps(result, sort_keys=True, indent=4))
elif args.format == 'yaml':
print(yaml.dump(result, Dumper=AnsibleDumper, allow_unicode=True,
default_flow_style=False))
elif args.format == 'string':
if not isinstance(result, AnsibleUnicode):
raise ValueError('Use string format for strings only.')
print(result)
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment