Ansible Vault - ghdrako/doc_snipets GitHub Wiki

ansible-vault-win

Windows
pip install ansible-vault-win
/c/Python_3_10/Scripts/ansible-vault.exe view vault

Encrypt string HelloWorld

$ ansible-vault encrypt_string --vault-id @prompt HelloWorld
ansible-vault create <vault-encrypted-file>
ansible-vault view <vault-encrypted-file>
ansible-vault edit <vault-encrypted-file>
ansible-vault encrypt <plain-text-file>
ansible-vault rekey --ask-vault-pass <vault-encrypted-file> # change password of encrypted files
ansible-vault decrypt --ask-vault-pass <vault-encrypted-file> # replace encrypted file with decrypted file in place

Szyfrowanie AES256

  1. Utworzenie pliku do bezpiecznego przechowywania i wejscie w tryb edycji edytorem ze zmiennej EDITOR
ansible-vault create secret.yaml 
  1. Zawartosc pliku secret.yaml
---
secretdata: "Tajne dane"
  1. Zapisanie w edytorze i wyjscie

  2. Odwołanie do zmiennej z pliku

-name: 
 hosts: frontend
 vars_files:
  - secret.yaml
 tasks:
  - name: Przekazywanie tajnych inf.
    debug:
      msg: " Sekret to {{ secretdata }}"
  1. Uruchomienie playbooka z opcja --ask-vault-pass
ansible-playbook -i hosts vaultplaybook.yaml  --ask-vault-pass

or

echo "password" > password_file
ansible-playbook secret.yml --vault-password-file=password_file
  1. Edycja pliku
ansible-vault edit secretyaml

ansible-vault encrypt_string  "tajne dane"  --name secretdata

Wynik tego mozna wkleic do playbooka niezaszyfrowanego zamias sie odwolywac do pliku


vars:
 secretdata: !vault |
       $ANSIBLE_VAULT;1.1;ASE256
< wklejamy wynik poprzedniego polecenia>
$> vault list auth/ldap/groups
Keys
----
card-pre-hcv-rw
vault-prod

$> vault list auth/ldap/users
Keys
----
jenkinsci_tu
card-pre-sa-hcv


vault read auth/ldap/users/card-pre-sa-hcv
Key         Value
---         -----
groups      n/a
policies    [approle_card-pre-sa-hc]


vault policy read approle_card-pre-sa-hcv
path "auth/approle/role/acp-jenkins-dmz/role-id" {
        capabilities = ["read"]
}
path "auth/approle/role/acp-jenkins-dmz/secret-id" {
        capabilities = [ "create", "update" ]
}

vault policy read card-pre-hcv-rw
path "secrets/multicloud/apps/<company>/<cloud provider ex gcp>/projects/<env>/<project>/*" {
        capabilities = ["create", "read", "update", "delete", "list"]
}

vault policy read vault-pre-biz-app-gcp-pr
path "secrets/*" {
        capabilities = ["list"]
}

path "/secrets/multicloud/apps/<company>/<cloud provider ex gcp>/projects/<env>/<project>/*" {
        capabilities = ["read"]
}

heart 1

# cluster namespace = role in vault
vault read auth/c1-pre-biz-acp-gcp-pr/role/acp
Key                                 Value
---                                 -----
alias_name_source                   serviceaccount_uid
bound_service_account_names         [default app-scdf]
bound_service_account_namespaces    [acp]
policies                            [vault-pre-biz-app-gcp-pr]
token_bound_cidrs                   []
token_explicit_max_ttl              0s
token_max_ttl                       0s
token_no_default_policy             false
token_num_uses                      0
token_period                        0s
token_policies                      [vault-pre-biz-app-gcp-pr]
token_ttl                           15m
token_type                          default
ttl                                 15m


curl -kv https://127.0.0.1:8200/v1/sys/seal-status  # z poda pokaze vaulta z jaki jest w sprzegu
curl -X GET -I -v  https://vault.vault-controller.svc.cluster.local:8200/
curl -k -v --request POST --data @/opt/vault/payload.json https://vault.vault-controller.svc.cluster.local:8200/v1/auth/nawaza_/login
⚠️ **GitHub.com Fallback** ⚠️