comments inline...

> Can I specify the vault password once i'm already in the playbook (but
> obviously before I've tried to read from the vault file)?


   Not in 2.3.

   Sort of in 2.4. But more importantly, you may not need to since 2.4 will
have some support for multiple vaults/vault passwords per
invocation.

Right now i have a few different text files containing different passwords
> for the vaults for different instances of our app. Once I've figured out
> what instance I need to work with, I'd like to load the contents of that
> file as the password so I can load variables from the vault files.
> Otherwise I need to provide the vault file on the CLI every time (kind-of a
> pain to type out a lot), and I can't deal with multiple vaults with
> different passwords in the same playbook.
>


> The different vault files need to have different passwords (not all
> developers should have access to variables for all instances).
>

 In 2.4, you can use multiple vault passwords.


You can have multiple vaulted files and each file can have a different
vault password (multiple vaulted files can also share the same password).

Yaml files can included embedded vaulted variables with each embedded vault
using a different password (in the same file, or spread across multiple
yaml files)

The docs are just getting started, but https://groups.google.com/d/
msg/ansible-project/qG4n_Psys44/675CBpjVAAAJ has an overview and some
examples if you want to try it.
I would appreciate any feedback!


With 2.4, for you use case, I would create a vault password file for each
secret. For example:

$ ls *_vault_secret
dev_vault_secret
stage_vault_secret
prod_vault_secret
admin_vault_secret

Then I would encrypt each playbook file that needs encryption with the
approriate vault-id.
For ex, if there is a set of db_password files to deploy to app servers:

files/dev_db_password
files/stage_db_password
files/prod_db_password
files/admin_db_password


 ansible-vault encrypt --vault-id dev@dev_vault_secret files/dev_db_password
 ansible-vault encrypt --vault-id stage@stage_vault_secret
files/stage_db_password
 ansible-vault encrypt --vault-id prod@prod_vault_secret
files/prod_db_password
 ansible-vault encrypt --vault-id admin@admin_vault_secret
files/admin_db_password

# the '--vault-id admin@admin_vault_secret' means 'use the vault-id "admin"
and its password from "admin_vault_secret"

To run 'dev_site.yml' with the dev and stage secrets:

    ansible-playbook --vault-id dev@dev_vault_secret --vault-id
stage@stage_vault_secret dev_site.yml

dev_db_password will be decrypted with the 'dev' vault-id (the password
from dev_vault_secret) etc.

The admins could use:

    ansible-playbook --vault-id admin@admin_vault_secret --vault-id
stage@stage_vault_secret stage_site_db_truncate.yml

[looking at your example, I see that it will be useful to be able to
specify a list of vault ids in ansible.cfg. Currently, devel/ code can
use the existing vault_password_file config to specify a single default
vault id, but I'll try to get something like a 'ansible_vault_id_list'
config variable added as well]

Note that with default config, if you provide a vault-id that is not used
or fails to decrypt something, that doesn't cause a failure as long as some
other vault-id (or --vault-password-file or --ask-vault-pass does). ie, you
can provide extra unused vault-ids on the cli.

At the moment, I have `vault_password_file` in `ansible.cfg` pointing to a
> symlink that points to the actual password file. I have tried changing that
> symlink to point to the correct password via a playbook task before
> accessing the desired vault, but this doesn't seem to work - my guess is
> `ansible-playbook` reads the value into memory at boot and not from the
> file when it's needed.
>


At the moment (in 2.3 and devel), the vault password[s] are loaded when the
cli starts up[1], before the playbook starts running (and before loading
any vault encrypted files as you mentioned). So changing the symlink as you
describe won't work.

But, they aren't used until some vault content needs it. ie, if a playbook
folder includes a file vault encrypted with the 'dev' vault-id and
password, but running the playbook doesn't need to load that file, then you
do not need to provide the 'dev' vault-id/password.

If the playbook does load a vault encrypted file and needs a
vault-id/secret that isnt provided, then that will cause a vault error.





[1] The code in devel/ branch currently will try to load the password at
startup, but the internal api is designed to let it do that on demand in
future versions. Thats not enabled yet mainly because of UXD issues and
complexities of prompting users across ansible worker processes. But the
non-interactive cases (ie, loading from a vault password file) could be
updated to lazy load the password files pretty easily. If the 2.4 features
look useful and that seems like something worth pursuing, let me know.


On Tue, Aug 8, 2017 at 12:19 AM, <n...@neilsouza.com> wrote:

> Can I specify the vault password once i'm already in the playbook (but
> obviously before I've tried to read from the vault file)?
>
> Right now i have a few different text files containing different passwords
> for the vaults for different instances of our app. Once I've figured out
> what instance I need to work with, I'd like to load the contents of that
> file as the password so I can load variables from the vault files.
> Otherwise I need to provide the vault file on the CLI every time (kind-of a
> pain to type out a lot), and I can't deal with multiple vaults with
> different passwords in the same playbook.
>
> The different vault files need to have different passwords (not all
> developers should have access to variables for all instances).
>
>
> Thanks in advance, Neil.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/ansible-project/f032c71d-619f-4560-9d23-c37c16ebbe28%
> 40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/f032c71d-619f-4560-9d23-c37c16ebbe28%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAOJNLf-DQAbVvDXmmMDazSVZ__nSPDVsz%2BteLqGntbj3YC0nBg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to