ansible_vault

Ansible-vault

• ansible加密模塊，將pwd/token等敏感信息加密;
• 此處給出最簡單的使用方式，加密保存ssh-pwd,獲取remote_host_hostname;

1.
# Iventory,並未做ssh-copy,未明文寫出remote_pwd
$ cat /etc/ansible/hosts
client_105 ansible_ssh_host=192.168.38.105 key=105

2.
# 定義ssh_pwd存放在pwd.yaml
# tasks: 使用remote_pwd 獲取hostname

$ cat test_vault.yaml

---
- hosts: all
  gather_facts: False
  vars_files:
    - pwd.yaml
  tasks:
    - name: get hostname
      shell: hostname
      register: info
    - name: print hostname
      debug: msg="the varible is {{ info }}"

3.
# 定義ssh密碼文件
# 此處必須爲dict格式
$ cat pwd.yaml
---
ansible_ssh_pass: "client105"

4.
# 對pwd.yaml加密(輸入加密key)：
$ ansible-vault encrypt pwd.yaml
New Vault password:
Confirm New Vault password:
Encryption successful

$ cat pwd.yaml
$ANSIBLE_VAULT;1.1;AES256
33636264323464613265343965616563343366333233313135373337636162396437333466643165
6164323334303632613633666330643362313563356134330a326563363533656362396131323036
64333734646564666238343036363836633038383532633339313837653831356338656465663863
3339613638333765330a333161383131633534653532306464636231316466336534656466356338
34643334356636613639623838306564626535643234643161653335376138666538636339663665
3164633330313133633538396432333932353765636632373338

5.
# 驗證：
-- 交互運行playbook：
    ansible-playbook  test_vault.yaml --ask-vault-pass
-- 文件保存key:
    ansible-playbook test_vault.yaml --vault-password-file ~/.ansible/duan.txt

6. duan.txt
$ cat ~/.ansible/duan.txt
duan